Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Regarding issue filed https://github.com/curl/curl/issues/5523

From: Shilpa Gupta via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 15 Aug 2020 10:49:56 -0700

Hi All, I have been blocked on the fix of the bug
https://github.com/curl/curl/issues/5523 since a while.
I decided to look into the libcurl code to see and find the problem. I have
been observing this mailing list. I thought I would ask the question about
what I am seeing, here.

So I see this comment
https://github.com/curl/curl/blob/e15e51384a423be31318b3c9c7d612a1aae661fd/lib/http_proxy.c#L46-L47
which
says, https_proxy_connect will set the bit proxy_ssl_connected when the
connect is complete. This method calls Curl_ssl_connect_nonblocking.

Looking at the code, of Curl_ssl_connect_nonblocking, flow will not fall in
https://github.com/curl/curl/blob/aecce3551cbb62a7980e8d22b40eabc091f896a0/lib/vtls/vtls.c#L320
because
we havn't connected to the proxy yet.
Then in line
https://github.com/curl/curl/blob/aecce3551cbb62a7980e8d22b40eabc091f896a0/lib/vtls/vtls.c#L330
we
are setting conn->ssl[sockindex].use to true even through our destination
is not ssl. We do not know if the destination will be ssl yet. We are only
sending connect to the https proxy.
And because conn->ssl[sockindex].use is set whether or not the destination
is ssl we send command PBSZ to ftp end point
https://github.com/curl/curl/blob/42ed22fea621ca06986070815c14b9dfa25a41c1/lib/ftp.c#L2504-L2519
which
is only a valid command for a secure end point and ftp end point is not
secure.

I think something needs to be fixed around
https://github.com/curl/curl/blob/aecce3551cbb62a7980e8d22b40eabc091f896a0/lib/vtls/vtls.c#L330
Since
I am looking at the libcurl code first time. I can't put a finger of what
should be the fix here. I would really appreciate some guidance in terms of
what is a possible fix here. I can send a pull request.

This is the curl command I am sending
curl -vvv -p -x <https_proxy> --proxy-cert <cert> --proxy-key <key>
ftp://test.rebex.net/ --proxy-insecure --user 'demo:password'

in the curl logs I can see this interaction happening.
> PBSZ 0
< 503 Command valid only on secure connection
> PROT P
< 503 Command valid only on secure connection.
 Problem is the ftp server I am trying to connect, respond to these
commands with 200 in place of 503. and then the client tries to do tls
handshake, which fails. Ideally curl should not send these commands because
they are invalid commands to ftp end point.

I am blocked on this since the last couple of months, any help is really
appreciated. Thanks in advance.

Shilpa 

-- 
Shilpa Gupta
https://shilpa-gupta.github.io
[image: Mailtrack]
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
Sender
notified by
Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
08/15/20,
10:46:46 AM

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-08-15