Command "curl -v -I -k -H Host:..." returns "error:14094410"

I want to check with the curl command line utility from linux + win what exactly CloudFlare is reporting on my domain. And I can’t do it. Over a year ago and always before - this utility worked.

example. com - my domain, my server (nginx 1.14, all ciphers)
my_ip - real ip on my server
104.18.53.125 - ip from CloudFlare for my domain (took from “dig example. com”)


curl -v -I -k -H “Host: example. com” https://my_ip:443

This command runs successfully on windows and ubuntu.


curl -v -I -k -H “Host: example. com” https:// 104.18.53.125:443
(from Win 10)

  • Trying 104.18.53.125:443 …
  • Connected to 104.18.53.125 (104.18.53.125) port 443 (# 0)
  • ALPN, offering h2
  • ALPN, offering http / 1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure
  • Closing connection 0
    curl: (35) error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure

curl -v -I -k -H “Host: example. com” https:// 104.18.53.125:443
(from ubuntu)

  • Rebuilt URL to: https:// 104.18.53.125:443/
  • Trying 104.18.53.125 …
  • TCP_NODELAY set
  • Connected to 104.18.53.125 (104.18.53.125) port 443 (# 0)
  • ALPN, offering h2
  • ALPN, offering http / 1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: / etc / ssl / certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, Server hello (2):
  • error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure
  • stopped the pause stream!
  • Closing connection 0
    curl: (35) error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure

No entries appear in the logs of my nginx from these commands. While searching for the phrase “error: 14094410” I saw an advice to enable all ciphers, but it doesn’t help in any way. My current config is like this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 SSLv2 SSLv3;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256-SHA: AES128-SHA: AES128-GCM-SHA256: ECDHE-RSA-AES128-SHA: AEAD-AES128-GCM-SHA256: AEAD-AES256-GCM-SHA384: AEAD-CHACHA620-POLHALS -POLY1305-SHA256: TLS13-AES-128-GCM-SHA256: TLS13-AES-256-GCM-SHA384: ECDHE:! COMPLEMENTOFDEFAULT;

The -k option allows you to ignore domain mismatches on the client side (this is curl), when I connect and write IP in the URL, and the domain is requesting a completely different one.

Tried using --tlsv1.3 / 1.2 / 1.1 - didn’t help.

Tried putting ssl_prefer_server_ciphers off, didn’t help either. Tried removing ssl_ciphers entirely - no result.

It looks like the CloudFlare server doesn’t even try to connect to my server but immediately returns an error in curl.

I think it doesn’t work because of Server Name Indication.

You need to use curl’s --resolve like this: curl --resolve $DOMAIN:443:$ANY_CLOUDFLARE_IP https://$DOMAIN/.
Example: curl -v --resolve maple3142.net:443:1.1.1.1 https://maple3142.net/

Thank you! :wink:

This topic was automatically closed after 14 days. New replies are no longer allowed.