Problems with SSL

ssl

#1

Hello,

When I use the API sometimes get this error

Request error for API call: Unknown SSL protocol error in connection to api.twitter.com:443

What I must do for fix it?

My domain have a SSL from comodo.


#2

Ok, I fix it.

The problem was that the option CURLOPT_CAINFO on curl call didn’t work… I fix it setting this option on my php.ini.


#3

The problem is back… Can someone help me?


#4

Can you please describe exactly how you are using the API? Ideally with some sample code that demonstrates this problem. What endpoint are you calling, and what client or tool are you using? How often does this problem occur?


#5

Thanks in advance for care about my case.

I’m using the API for schedule tweets and get data for generate stats.
I do calls every minute for differents tokens but always check if rate limits is near to reach for don’t break this point.

For example I use the “Codebird-php” library with the statuses/show/ endpoint. As I said, I do calls every two minuts and araound 7 of 10 calls always fails with this error Unknown SSL protocol error in connection to api.twitter.com:443 and sometimes with this Operation timed out after 300000 milliseconds with 0 out of 0 bytes received

I have the cacert.pem from http://curl.haxx.se/ca/cacert.pem configured on mi Curl. My server is managed with plesk and I have SSL from comodo.


#6

Also when I try to execute this command curl -3 -capath --ssl https://api.twitter.com (example from https://dev.twitter.com/overview/api/tls) I get this error.

curl: (3) malformed
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake fai lure


#7

Twitter supports TLS 1.2 - SSLv3 was withdrawn some time ago. I doubt this is the specific reason for the error you are seeing - that’s more likely to be possibly related to routing between datacenters, I imagine. Hard to say what the specific issue here is. 7 out of 10 failing calls does sound unusually high, but then the timeouts are a bit surprising too.


#8

Maybe my IP is blocked for some reason? Sometimes the application run for 4-6 hours without a problem but suddenly I get around 7 out of 10 calls.


#9

If you were blocked, you’d be unable to make any calls. It sounds more likely to be rate-related, or a temporary issue due to a datacenter routing change.


#10

Well, I think that I solve this problem runing this command

http2_pref enable

Thanks you again,


#11

The problem is back. Seriously I dont know why I have this problem… The library dont give me more information about it, just the SSL problem message Unknown SSL protocol error in connection to api.twitter.com:443

Twitter can’t help me if I give my APP KEY ID or something? for know what’s is wrong with my platform.


#12

I disabled curl on calls and enabled allow_url_fopen

I didin’t catch any error in 25hours.

Let’s pray he he he


#13

We seem to be having the same problem: most api calls work without problems, 1 in 20 fails.

Here are some examples:

CURL call failed: SSL read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac, errno 0
* About to connect() to api.twitter.com port 443 (#396)
*   Trying 199.16.156.231...
* Adding handle: conn: 0x3c69510
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 396 (0x3c69510) send_pipe: 1, recv_pipe: 0
* Connected to api.twitter.com (199.16.156.231) port 443 (#396)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
*      subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=api.twitter.com
*      start date: 2016-06-29 00:00:00 GMT
*      expire date: 2019-09-19 12:00:00 GMT
*      subjectAltName: api.twitter.com matched
*      issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*      SSL certificate verify ok.
> GET /1.1/search/tweets.json?count=100&q=fees%20fgb&result_type=recent&since_id=785918597679820800&tweet_mode=extended HTTP/1.1
User-Agent: themattharris' HTTP Client
Host: api.twitter.com
Accept: */*
Accept-Encoding: deflate, gzip
Authorization: OAuth oauth_consumer_key="xxx", oauth_nonce="xxx", oauth_signature="xxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1477295348", oauth_token="xxx", oauth_version="1.0"

* SSL read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac, errno 0
* Closing connection 396

As you can see, we get the “alert bad record mac”. We’re not setting protocol or cipher explicitly, we’re letting OpenSSL handle that.

CURL call failed: Operation timed out after 30001 milliseconds with 0 out of 0 bytes received
* About to connect() to api.twitter.com port 443 (#918)
*   Trying 199.16.156.199...
* Adding handle: conn: 0x402c4c0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 918 (0x402c4c0) send_pipe: 1, recv_pipe: 0
* Connected to api.twitter.com (199.16.156.199) port 443 (#918)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* Operation timed out after 30001 milliseconds with 0 out of 0 bytes received
* Closing connection 918

In the example above we’re getting a timeout from OpenSSL

CURL call failed: Unknown SSL protocol error in connection to api.twitter.com:443 
* About to connect() to api.twitter.com port 443 (#317)
*   Trying 199.16.156.199...
* Adding handle: conn: 0x3c31d00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 317 (0x3c31d00) send_pipe: 1, recv_pipe: 0
* Connected to api.twitter.com (199.16.156.199) port 443 (#317)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to api.twitter.com:443 
* Closing connection 317

In the example above, we get an “unknown SSL protocol” …

All of these errors happen seemly at random, at multiple API endpoints, (e.g. the media upload endpoint, but also search tweets endpoint), and we always use the same code for it. If we do tests with always uploading the same image the the media upload endpoint in a simple for loop, we’ll trigger an Curl/OpenSSL error ± 1 time in 20 tries. The other 19 times it just works… Do you guys have any idea?


#14

any updates on this? we’re seeing 30k failed api calls from our application to twitter every day.
this is a huge problem for us.


#15

You tried to disabled curl on calls and enabled allow_url_fopen?

Was the solution for me


#16

@Kendesi it’s mandatory for us to use a CURL library from within our software


#17

I’m also seeing the ‘alert bad record mac’ error, also occasionally, also using CURL. This has been happening for the last ten days or so. An update would be nice…


#18

If 1 out of 20 errors for you then something is wrong. That said, I have seen the issue. I email myself every time I get it. My platform sends thousands of requests every day and there’s never more than like 3 of these emails in a day.


#19

Just chiming in. Having the same issues. See my stackoverflow post:


#20

Everyone with this issue, just curious, what OS are you running into these curl issues? We are on Debian 8, php 7.