Page 1 of 1

Posted: 13 Jul 2013, 11:14
by cevi

I have troubles adding the feed to my tt-rss instance. Every other rssfeed of mine works perfectly, I wanted to ask if someone else can confirm the error when subscribing to this feed.
Both atom and rss2.0 don't work.


The error message from tt-rss is
Couldn't download the specified URL: 35 error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

It's the only rss feed from an encrypted website, which would also explain the error message.
My webserver is apache 2.2.16 and the php server is 5.3.3 from Debian Squeeze, php5-curl is also installed.

Best regards,


Posted: 13 Jul 2013, 19:57
by LifeWOutMilk


Posted: 14 Jul 2013, 15:08
by davidm
I can confirm. I don't get new items from planet Gnome feed since june 24. Same error. And it also affects other feeds from that server, as the feed in Probably their problem.


Posted: 16 Jul 2013, 07:17
by cevi
LifeWoutMilk: thanks for the link. That's exactly the reason for this error. I added the line suggested in the stackoverflow thread

curl_setopt($ch, CURLOPT_SSLVERSION,3);

to the function geturl in include/functions.php and now it's working. This is of course not a general fix for the problem, but just fixes a bug in the version of openssl distributed by debian squeeze (old stable) (0.9.8o). This bug should not occur for openssl > 1.0.


Posted: 16 Jul 2013, 07:39
by fox
can this be wrapped in a version check of some kind?


Posted: 16 Jul 2013, 14:10
by craywolf
fox wrote:can this be wrapped in a version check of some kind?

Based on that curl bug report, the bug was introduced in 0.9.8h. Assuming this list of OpenSSL version numbers is accurate, and that the bug is fixed in 1.0.0...

Code: Select all

if((OPENSSL_VERSION_NUMBER >= 0x0090808f) && (OPENSSL_VERSION_NUMBER < 0x10000000)) {
    curl_setopt($ch, CURLOPT_SSLVERSION,3);

That should do it. Untested, btw, and I make no promise it won't break fetching a feed on some screwed up server somewhere that's missing SSL3.0 support.

Note this does not apply fix to the 1.0.0-beta versions because it appears some non-beta releases (1.0.0-fips) report beta version numbers (0x10000003) so who knows. If someone is running under an actual beta release of OpenSSL then they need to stop that anyway.


Posted: 16 Jul 2013, 14:15
by fox
I'll add this and we'll see if anyone complains. :)


Posted: 03 Jan 2014, 20:24
by dimi
Did somebody complain? I have some more sites which do not support SSLv3 any more and my server is running SSL 9080ff (current debian wheezy openssl).

I checked if there are any sites which i follow and do not support TLSv1, and did not found any... so I changed

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

and it worked perfectly.

Were there any complains about this or why did it not get updated?