Ambiguous diagnostics: "ALPN, server did not agree to a protocol" #2749
Description
I did this
curl -v --user "api:key-xxxxxxxxxxxxxxxxxxxxxxxxxx" \
"https://api.mailgun.net/v3/xxxxxxxxxxxxxx/messages" \
-F to="[email protected]" \
-F from="[email protected]" \
-F subject="test" \
-F text="hello"
I expected the following
Diagnostic output unambiguously indicating successful transmission over a secure connection.
Instead I got this ambiguous output:
...
* ALPN, server did not agree to a protocol
...
Full diagnostic output included below.
curl/libcurl version
[curl -V output]
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
operating system
Linux 4.13.0-45-generic #50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
suggest fix
Output the protocol to which the server did not agree, and indicate that an alternative succeeded. In particular it should be unambiguously clear that (1) TLS is not being downgraded. (2) it is not reason for some other failure the client may be experiencing.
E.g.
* ALPN, server did not agree to http2 protocol, continuing with http1.1
if that is indeed the true case.
background
Google ALPN, server did not agree to a protocol, you will find thousands of results, representing a lot of wasted time.
full diagnostic output
* Connected to api.mailgun.net (34.215.83.50) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 1060 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.mailgun.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=San Francisco,O=MAILGUN TECHNOLOGIES\, INC,OU=MAILGUN TECHNOLOGIES\, INC,CN=*.mailgun.net
* start date: Thu, 18 Jan 2018 00:00:00 GMT
* expire date: Wed, 18 Mar 2020 12:00:00 GMT
* issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=Thawte TLS RSA CA G1
* compression: NULL
* ALPN, server did not agree to a protocol
* Server auth using Basic with user 'api'
> POST /v3/pindertek.com/messages HTTP/1.1
> Host: api.mailgun.net
> Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 464
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------df265bf86c971664
>
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK