cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Making tlsv1 the default protocol

From: Jose Kahan <jose.kahan_at_w3.org>
Date: Wed, 22 Oct 2014 18:42:40 +0200

On Wed, Oct 22, 2014 at 05:43:00PM +0200, Florian Weimer wrote:
>
> Can you provide more details? This should definitely not happen.

Sure.

I've two boxes, a debian squeeze up to date with the latest
security releases:

curl: 7.21.0-2.1+squeeze9
openssl: 0.9.8o-4squeeze17
apache2: 2.2.22-13+deb7u3

and a debian wheezy, with the
latest official:

curl: 7.26.0-1+wheezy10
openssl: 1.0.1e-2+deb7u13
apache2: 2.2.22-13+deb7u3

Apache is configured to only support tls (-sslv2, -sslv3).

In the following I'll use source- and dest- with wheezy and squeeze
suffixes to identify from where I'm making my requests.

If do the following request from the source-squeeze to a protected
URL in the destination box, I don't get any output:

[[
#source-squeeze: curl -I -s -L https://dest-wheezy.example.com/protected/
]]

The only way I get a result is if I force the protocol to be
tls in the curl call:

[[
#source-squeeze: curl --tlsv1 -I -s \
-L https://dest-wheezy.example.com/protected/
HTTP/1.1 401 Authorization Required
Date: Wed, 22 Oct 2014 16:29:28 GMT
Server: Apache/2
WWW-Authenticate: Basic ...
]]

If I attempt the same command from a wheeze source box
(source-wheezy), I do get the results I was expecting:

[[
#source-wheezy: curl -I -s -L https://dest-wheezy.example.com/protected/
HTTP/1.1 401 Authorization Required
Date: Wed, 22 Oct 2014 16:27:46 GMT
Server: Apache/2
WWW-Authenticate: Basic ...
]]

I started having the failing behavior in squeeze once I updated
the server's config to disable sslv3.

Note that I don't have this problem when using source-squeeze,
target-squeeze, even if its sslv3 is disabled.
As the stackoverflow report I refered to says, this behavior only
happens when the origin request box
uses openssl 0.98 and the target one uses openssl 1.0.

I don't have the problem in the opposite direction with a source-wheezy
and target-squeeze.

As I can't update the squeeze box to wheezy right now and the
tool having the problems is a binary proprietary one, the
temporary solution I found was to patch libcurl to use tlsv1 as
the default value for ssl.

I hope this is not TMI or too confusing to follow. Please
contact me if you need further info or tests.

Regards,

-jose
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-22

This message: [ Message body ]
Next message: Dan Fandrich: "Re: Minimal versions of dependencies"
Previous message: Jan Ehrhardt: "Re: SFTP problems"
In reply to: Florian Weimer: "Re: Making tlsv1 the default protocol"
Next in thread: Florian Weimer: "Re: Making tlsv1 the default protocol"
Reply: Florian Weimer: "Re: Making tlsv1 the default protocol"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]