cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] nss: try to reconnect in case of TLS intolerant server

From: Kaspar Brand <curl-lib.2009_at_velox.ch>
Date: Mon, 19 Oct 2009 07:43:19 +0200

Guenter wrote:
> Kaspar Brand schrieb:
>> - libcurl versions compiled against OpenSSL or GnuTLS will most likely
>> suffer from the same problem, so maybe an implementation with fallback
>> to "extension-less" TLS (or even SSL 3.0) would better go into
>> lib/sslgen.c, not into lib/nss.c only?
> I tested a curl version build with OpenSSL, and there was no prob with
> the mentioned URLs; a curl version build with NSS failed, and -3
> 'solved' it ...
>
> see attached log.

> User-Agent: curl/7.19.6 (x86_64-unknown-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8i zlib/1.2.3 libidn/1.10 libssh2/0.19.0-20080814

Are you sure that your OpenSSL version (0.9.8i) has TLS extensions support
turned on? ("nm libssl.so | grep ssl_add_clienthello_tlsext" should tell)

Below are the results for 7.19.7-CVS when compiled against recent versions
of OpenSSL/NSS/GnuTLS. All of them fail if libcurl isn't forced to
negotiate SSLv3 (with the "-3" switch).

Will reply to Kamil's message later (only tomorrow, possibly).

Kaspar

$ curl -V && curl -svI https://www.orange.sk
curl 7.19.7-CVS (i386--netbsdelf) libcurl/7.19.7-CVS OpenSSL/1.0.0 zlib/1.2.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: IDN Largefile NTLM SSL libz
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
* Closing connection #0

$ curl -V && curl -svI https://www.orange.sk
curl 7.19.7-CVS (i386--netbsdelf) libcurl/7.19.7-CVS NSS/3.12.4.5 zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: Largefile SSL libz
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* Initializing NSS with certpath: none
* CAfile: none
  CApath: none
* NSS error -12226
* Closing connection #0
* SSL connect error

$ curl -V && curl -svI https://www.orange.sk
curl 7.19.7-CVS (i386--netbsdelf) libcurl/7.19.7-CVS GnuTLS/2.8.3 zlib/1.2.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: IDN Largefile NTLM SSL libz
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* gnutls_handshake() failed: A TLS fatal alert has been received.
* Closing connection #0

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-19