curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: ssl failure, MITM attack?

From: Ray Satiro via curl-users <curl-users_at_cool.haxx.se>
Date: Thu, 2 Feb 2017 02:59:01 -0500

On 2/1/2017 12:10 PM, David Niklas wrote:
> I wanted to get a link from a US gov website. firefox was taking all
> eternity, so I decided to use curl.
> My system clock is set correctly, I have an up-to-date system, with
> associated up-to-date certs.
> My problem is that I had to try downloading three times before I got the
> file. The first had the below error, the second stopped part way through.
> I'm curious to know if I'm being MITM attacked.
>
> Linux ulgy_thing 4.4.39-gentoo-nopreempt-dav2 #1 SMP Thu Dec 22 16:14:17
> UTC 2016 x86_64 Intel(R) Pentium(R) CPU 2117U @ 1.80GHz GenuineIntel
> GNU/Linux
>
> My curl version is:
>
> curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2j
> zlib/1.2.11 libidn2/0.11 libssh2/1.7.0 nghttp2/1.10.0 librtmp/2.3
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6
> Largefile GSS-API Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 UnixSockets
> HTTPS-proxy Metalink
>
>
> % curl -vD- -o Downloads/2016-24888.pdf
> https://www.gpo.gov/fdsys/pkg/FR-2016-10-17/pdf/2016-24888.pdf
> % Total % Received
> % Xferd Average Speed Time Time Time Current Dload Upload
> Total Spent Left Speed 0 0 0 0 0 0 0 0
> --:--:-- --:--:-- --:--:--
> 0*
> Trying 162.140.14.20...
> * TCP_NODELAY set
> * Connected to www.gpo.gov (162.140.14.20) port 443 (#0)
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01
> --:--:--
> 0*
> ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: /etc/ssl/certs
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> { [91 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [3517 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [333 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [70 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:11
> --:--:--
> 0*
> Unknown SSL protocol error in connection to www.gpo.gov:443
> * Curl_http_done: called premature == 1
> * stopped the pause stream!
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:12
> --:--:-- 0
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to www.gpo.gov:443
> % echo $?
> 35

Is it reproducible? I tried multiple times in the latest all of OpenSSL,
wolfSSL, mbedTLS and WinSSL both this afternoon and this evening and
cannot reproduce in any of them. I tried both release 7.52.1 and latest
repo master. My guess is it was a server problem.

If someone was trying to MITM you maybe they'd take advantage of your
SSL library (unlikely since you're using the latest version) or have
certificates not signed by your certificate authority (also unlikely
since curl will show you an error message in those cases). Whether or
not someone is doing that to you I don't know, I just think it's
unlikely given that it dies like that.

There is an SSL issue in curl 7.52.1 that has since been fixed in the
repo but in the meantime has bit a few people [1]. I'm not sure why it's
a problem for some people and not others. If you can reproduce your
transfer problem in 7.52.1 try building curl from the repo with the same
OpenSSL and see if you can still reproduce, because maybe you are
experiencing that issue.

[1]: https://github.com/curl/curl/issues/1174

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-02