Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: TLS handshake failures on socks proxy

From: Anand Sridharan via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 15 Apr 2020 13:15:15 -0700

Thanks Daniel , updated comments

On Tue, Apr 14, 2020 at 11:29 PM Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Tue, 14 Apr 2020, Anand Sridharan via curl-library wrote:
>
> > Method 1 - use existing api's used for http proxy but remove any
> conditions
> > specific for HTTPS proxy.(wireshark: lo_sslversion.pcap)
> >
> > - SSL upgrade of existing socket using curl API’s
> > curl_ssl_connect_nonblocking and curl_ssl_init_proxy for TLS handshake
> > - Fatal alert: protocol version
>
> Sounds like the client and server didn't agreee on TLS version?

   [AS] Looks like version mismatch but initial handshake looks fine from
wireshark logs , client changes something dynamically .openssl s_client
works fine with handshake.

>

> > Method 2- use new SSL context init and add certificates/key manually, do
> > simple ssl_connect on sockfd (wireshark: inverse_server_client_l0.pcap)
> >
> > - SSL_set_fd(ssl, sockfd) and SSL_connect(ssl) are used.
> > - Fatal alert illegal parameter.
>
> Sounds like you're not passing the right things to these functions?
> [AS] These were simple client connect functions ,need to check what is
> causing failures.
>

> Perhaps a more "winning" approach is to run stunnel in front of a "real"
> socks
> proxy so that you can actually verify the whole thing once the TLS
> handshake
> works. It would even be a way to setup and create test cases to use in the
> curl test suite.
>
> If you take it in that direction, then you'd also be closer to something
> you
> could share with other curl hackers here and we might be able to help out!
>
> [AS] we already have TLS enabled socks proxy running wanted to
confirm with openssl s_server that curl implementations works okay.
        we would need TLS for initial negotiations only then data transfer
to happen with normal raw socket , hence stunnel may not totally help us.

> --
>
> / daniel.haxx.se | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/ 

-- 
thanks,
Anand.S

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-04-15