Could you please temporary try to use a mobile internet for this host instead of your regular ISP?
I have the same provider for both mobile and wired connection. Wouldnât it show same error ?
This is could be possible, however itâs better to use different providers to exclude ISP injections.
One more idea: could you try moving away c:\windows\system32\curl-ca-bundle.crt to somewhere else and try curl command again?
On my own Windows setup I downloaded curl from the official site, the binary came with curl-ca-bundle.crt in the same directory. When I removed it, I started to get the same unknown CA error as youâve described. If you grab a new copy of curl from curl - Download and copy the curl-ca-bundle.crt from within to c:\windows\system32\curl-ca-bundle.crt does that work for you?
I am using the latest version of curl-ca-bundle.crt that came with 7.87. Below is the header of curl-ca-bundle.crt
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Tue Jan 10 04:12:06 2023 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt). This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.29.
## SHA256: 90c470e705b4b5f36f09684dc50e2b79c8b86989a848b62cd1a7bd6460ee65f6
##
After removing curl-ca-bundle.crt from system32 and C:\Windows folder.
curl -v "https://www.storj.io/dcs-satellites"
* Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Unknown (21):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Edit: Redownloaded version 7.87.0.8 while I had 7.87.0.7
Result is the same.
curl -v "https://www.storj.io/dcs-satellites"
* Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: D:\CAupdate\bin7.87.0_8\curl-ca-bundle.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Unknown (21):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Interesting. I would have expected the bundled CA certs in a fresh copy of curl wouldâve worked.
If you load up https://www.storj.io/dcs-satellites in a browser on the same machine, does that work?
How about other CLI tools like openssl e.g. openssl s_client -connect storj.io:443?
Yes. The page loads with no issues.
The command never finishes as the command prompt is never shown
Edit: The command spent some quality time thinking about today and gave the following result.
openssl s_client -connect storj.io:443
CONNECTED(000001C8)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
verify return:1
depth=0 CN = storj.io
verify return:1
---
Certificate chain
0 s:CN = storj.io
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 19 05:10:03 2023 GMT; NotAfter: Apr 19 06:03:56 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQZat4R0lzhrIQ1TthoeJxKTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFENDAeFw0yMzAxMTkwNTEwMDNaFw0yMzA0MTkw
NjAzNTZaMBMxETAPBgNVBAMTCHN0b3JqLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1bbt24XaZWVfyoH1pLdKEC1S1p0gnfufLwF387g6K62poXUu
vdxcS4/GU4nyT/YuP8F7VXqy4q/WcVWnzAJwk0RdwLim6mgxGk5AnXLb7ZqHQ1MA
2+NHMLW/em0PPu3UfKItnPrBCXD398wy8/jsRYXyM0E0WvqJLSq8kj7uCfNgGAHe
rXdKaStHPxtDEGhY59YCJvSQGCBIygodnELdJogWjFtYMljhBFSDHGx6tTXzyPQ+
lfYvzXxu9hKcN7B+RGXkQFRTn6wYtvguZb6vBcgd63U0n+QdbaZ1U/TFPXGCWHGJ
XBMzhVcYNQFaW8Gu82Xm+T5nu7MUvKK5Tiq91wIDAQABo4ICcTCCAm0wDgYDVR0P
AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFDsTrh7uIyw/Ul2Ovr6QHSelh1qAMB8GA1UdIwQYMBaAFCXiGA6yV5GU
KuXUXYaQg95Ts7iSMHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcwAYYpaHR0cDov
L29jc3AucGtpLmdvb2cvcy9ndHMxZDQvU2k1bW9UNFFHWjgwMQYIKwYBBQUHMAKG
JWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFkNC5kZXIwEwYDVR0RBAww
CoIIc3RvcmouaW8wIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8
BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxZDQvQkRV
VzVjVF9VVk0uY3JsMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcA6D7Q2j71BjUy
51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGFyKYNfQAABAMASDBGAiEA9bZ/yri/
KuXSNpyqD2xjqA9ryWWXgDSz5H8/+SWIXMACIQCjiSD8pA1R4b0F7pb2+MzRFhda
rc8umLh7cjwPAtW7hwB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
AAABhcimDbIAAAQDAEgwRgIhAKkcYgOI+BVFm3JggYZi1Ucyh6bDRCrootCVwkpU
LQreAiEAsc+XBFOZGBxJidXeZUxWfmHZlkuAK6Ym4YOrfFPoEFkwDQYJKoZIhvcN
AQELBQADggEBAAArJ/V2dEN/iP26/mc85OkbK6X6dq0AXeHrG3CwWWQTMUUGyfaM
pxd0EHOnA+lSKwcZroJaXgXtawaG5AGCmHpKAgVFaixdowVPhGTFjO45eliOcUj5
MH6Relu7e6U3hzN0ANyCQ8nt1EPk9Tdjb4qLBFII+J+VlnLVo6oFxSmcxJocctPY
Hi0fBqgax2gaUi2LlM52ih+e7KkocOF28aE3W5xLWp+eHUoVxmWElNR5M1R7j3L1
tAlnSQ3PtDaVDx0nK/ZFIrvdy9QtfFU6dgz80alO129oOin/fVXkoHdQ/nKQT/b/
XLo1vA7THxlzQsi4MH9QgiSaFjTMUNQZrDM=
-----END CERTIFICATE-----
subject=CN = storj.io
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4676 bytes and written 394 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
--- (HUGE DELAY WENT HERE)
982D0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl\record\rec_layer_s3.c:322:
Yes
Edition Windows 10 Pro
Version 22H2
Installed on â3/â20/â2021
OS build 19045.2486
Experience Windows Feature Experience Pack 120.2212.4190.0
However, I have an older version of curl
But honestly I do not remember with what package I got it, I did not install it directly.
How about if you point openssl to the CA bundle? e.g. openssl s_client -connect storj.io:443 -CAfile D:\CAupdate\bin7.87.0_8\curl-ca-bundle.crt
If you have version 1803 or later of Windows 10, curl is installed by default . - From Google. I thought a Windows update might have messed things up but our Experience pack matches too.
Result:
openssl s_client -connect storj.io:443 -CAfile D:\CAupdate\bin7.87.0_8\curl-ca-bundle.crt
CONNECTED(000001C4)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
verify return:1
depth=0 CN = storj.io
verify return:1
---
Certificate chain
0 s:CN = storj.io
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 19 05:10:03 2023 GMT; NotAfter: Apr 19 06:03:56 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQZat4R0lzhrIQ1TthoeJxKTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFENDAeFw0yMzAxMTkwNTEwMDNaFw0yMzA0MTkw
NjAzNTZaMBMxETAPBgNVBAMTCHN0b3JqLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1bbt24XaZWVfyoH1pLdKEC1S1p0gnfufLwF387g6K62poXUu
vdxcS4/GU4nyT/YuP8F7VXqy4q/WcVWnzAJwk0RdwLim6mgxGk5AnXLb7ZqHQ1MA
2+NHMLW/em0PPu3UfKItnPrBCXD398wy8/jsRYXyM0E0WvqJLSq8kj7uCfNgGAHe
rXdKaStHPxtDEGhY59YCJvSQGCBIygodnELdJogWjFtYMljhBFSDHGx6tTXzyPQ+
lfYvzXxu9hKcN7B+RGXkQFRTn6wYtvguZb6vBcgd63U0n+QdbaZ1U/TFPXGCWHGJ
XBMzhVcYNQFaW8Gu82Xm+T5nu7MUvKK5Tiq91wIDAQABo4ICcTCCAm0wDgYDVR0P
AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFDsTrh7uIyw/Ul2Ovr6QHSelh1qAMB8GA1UdIwQYMBaAFCXiGA6yV5GU
KuXUXYaQg95Ts7iSMHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcwAYYpaHR0cDov
L29jc3AucGtpLmdvb2cvcy9ndHMxZDQvU2k1bW9UNFFHWjgwMQYIKwYBBQUHMAKG
JWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFkNC5kZXIwEwYDVR0RBAww
CoIIc3RvcmouaW8wIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8
BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxZDQvQkRV
VzVjVF9VVk0uY3JsMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcA6D7Q2j71BjUy
51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGFyKYNfQAABAMASDBGAiEA9bZ/yri/
KuXSNpyqD2xjqA9ryWWXgDSz5H8/+SWIXMACIQCjiSD8pA1R4b0F7pb2+MzRFhda
rc8umLh7cjwPAtW7hwB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
AAABhcimDbIAAAQDAEgwRgIhAKkcYgOI+BVFm3JggYZi1Ucyh6bDRCrootCVwkpU
LQreAiEAsc+XBFOZGBxJidXeZUxWfmHZlkuAK6Ym4YOrfFPoEFkwDQYJKoZIhvcN
AQELBQADggEBAAArJ/V2dEN/iP26/mc85OkbK6X6dq0AXeHrG3CwWWQTMUUGyfaM
pxd0EHOnA+lSKwcZroJaXgXtawaG5AGCmHpKAgVFaixdowVPhGTFjO45eliOcUj5
MH6Relu7e6U3hzN0ANyCQ8nt1EPk9Tdjb4qLBFII+J+VlnLVo6oFxSmcxJocctPY
Hi0fBqgax2gaUi2LlM52ih+e7KkocOF28aE3W5xLWp+eHUoVxmWElNR5M1R7j3L1
tAlnSQ3PtDaVDx0nK/ZFIrvdy9QtfFU6dgz80alO129oOin/fVXkoHdQ/nKQT/b/
XLo1vA7THxlzQsi4MH9QgiSaFjTMUNQZrDM=
-----END CERTIFICATE-----
subject=CN = storj.io
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4676 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
68610000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl\record\rec_layer_s3.c:322:
That looks like it worked, the certificate was verified. I have to wonder then, if openssl command is able to verify using that CA bundle, then something must be wrong with curl if both are pointed at the same file.
1 Like
I tried with version 7.83.1 with no success.
.\curl.exe -v "https://www.storj.io/dcs-satellites"
* Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: D:\CAupdate\curl-7.83.1-win32-mingw\bin\curl-ca-bundle.crt
* CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
It wasnât curl but Avast that was intercepting the connection and providing its own cert.
curl "https://www.storj.io/dcs-satellites" -v -k
* Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=www.storj.io
* start date: Jan 18 06:54:57 2023 GMT
* expire date: Apr 18 07:49:01 2023 GMT
* issuer: OU=generated by Avast Antivirus for SSL/TLS scanning; O=Avast Web/Mail Shield; CN=Avast Web/Mail Shield Root
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /dcs-satellites]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.storj.io]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x28b2ca9ad00)
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /dcs-satellites HTTP/2
> Host: www.storj.io
> user-agent: curl/7.87.0
> accept: */*
>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
< HTTP/2 200
< content-length: 444
< content-type: text/plain; charset=utf-8
< date: Fri, 17 Feb 2023 15:44:40 GMT
< via: 1.1 google
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
12EayRS2V1kEsWESU9QMRseFhdxYxKicsiFmxrsLZHeLUtdps3S@us1.storj.io:7777
12L9ZFwhzVpuEKMUNUqkaTLGzwY9G24tbiigLiXpmZWKwmcNDDs@eu1.storj.io:7777
121RTSDpyNZVcEU84Ticf2L1ntiuUimbWgfATz21tuvgk3vzoA6@ap1.storj.io:7777
1wFTAgs9DP5RSnCqKV1eLf6N9wtk4EAtmN5DpSxcs8EjT69tGE@saltlake.tardigrade.io:7777
12rfG3sh9NCWiX3ivPjq2HtdLmbqCrvHVEzJubnzFzosMuawymB@europe-north-1.tardigrade.io:7777
12tRQrMTWUWwzwGh18i7Fqs67kmdhH9t6aToeiwbo5mfS2rUmo@us2.storj.io:7777
* Connection #0 to host www.storj.io left intact
As you can see this in the above log
issuer: OU=generated by Avast Antivirus for SSL/TLS scanning; O=Avast Web/Mail Shield; CN=Avast Web/Mail Shield Root
I needed to turn off a setting labeled âEnable HTTPS scanningâ 
After turning it off the result is 
curl "https://www.storj.io/dcs-satellites" -v
* Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: C:\WINDOWS\curl-ca-bundle.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=www.storj.io
* start date: Jan 18 06:54:57 2023 GMT
* expire date: Apr 18 07:49:01 2023 GMT
* subjectAltName: host "www.storj.io" matched cert's "www.storj.io"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /dcs-satellites]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.storj.io]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x2268d01ab40)
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /dcs-satellites HTTP/2
> Host: www.storj.io
> user-agent: curl/7.87.0
> accept: */*
>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< content-length: 444
< content-type: text/plain; charset=utf-8
< date: Fri, 17 Feb 2023 15:48:51 GMT
< via: 1.1 google
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
12EayRS2V1kEsWESU9QMRseFhdxYxKicsiFmxrsLZHeLUtdps3S@us1.storj.io:7777
12L9ZFwhzVpuEKMUNUqkaTLGzwY9G24tbiigLiXpmZWKwmcNDDs@eu1.storj.io:7777
121RTSDpyNZVcEU84Ticf2L1ntiuUimbWgfATz21tuvgk3vzoA6@ap1.storj.io:7777
1wFTAgs9DP5RSnCqKV1eLf6N9wtk4EAtmN5DpSxcs8EjT69tGE@saltlake.tardigrade.io:7777
12rfG3sh9NCWiX3ivPjq2HtdLmbqCrvHVEzJubnzFzosMuawymB@europe-north-1.tardigrade.io:7777
12tRQrMTWUWwzwGh18i7Fqs67kmdhH9t6aToeiwbo5mfS2rUmo@us2.storj.io:7777
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host www.storj.io left intact
PSA: Anyone that uses Avast should turn off the HTTPS scanning âfeatureâ.
My sincere thanks to Awesome @Alexey and @sean for helping me with this issue. I have learned a lot about curl during this. I also read the whole curl manual that comes with curl --manual 
4 Likes