cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3497051 ] libcurl v7.24 exits with err 104 while connectin https host

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Wed, 07 Mar 2012 05:20:38 -0800

Bugs item #3497051, was opened at 2012-03-05 07:41
Message generated for change (Comment added) made by alexzapped
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3497051&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
>Status: Closed
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Alexey Shumkin (alexzapped)
Assigned to: Daniel Stenberg (bagder)
Summary: libcurl v7.24 exits with err 104 while connectin https host

Initial Comment:
At my work I have HTTP-proxy with pre-authorization to access internet. To skip manual authorization I use curl under Cygwin to send auth-form to server.
Recently after an update of Cygwin to 1.7.11 this script has appeared to be broken - curl exits with err 104. After investigation a test script was simplified to
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" --trace - -D -
to reproduce the error.

Also I discovered that libcurl update to v7.24 (was v7.20) caused this behavior. After manual rollback libcurl-4.dll to previuos version test-script works well.

See attachments:

----------------------------------------------------------------------

>Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 05:20

Message:
I compiled curl from master branch (which includes above-mentioned commits,
in fact).
And curl with --ssl-allow-beast option works.
Thank you

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 05:20

Message:
Thanks for the report, this problem is now fixed in the git repository.

To try it out, you either checkout/update your git clone:
http://curl.haxx.se/source.html

or you try tomorrow's daily snapshot: http://curl.haxx.se/snapshots/

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-03-07 02:48

Message:
Thanks a lot for your reporting and details.

Ah yes. Correct, your proxy is stupid. But we've noticed that there are
many stupid proxies and servers out there so we have introduced a way to
put back the security problem so that people can continue using the stupid
softwares.

This work-around is in git now and will become available in the next
release.

If you want to cherry-pick the particular changes, these are the two
commits:

commit 62d15f159e163bf4e1a27ac1b0ffd9b84e02bf56
commit 2a699bc6e94b8223d900e8880ad628aebf17ab6d

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 02:06

Message:
May be "my" proxy acts wrong? But browsers work well with it.

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 02:02

Message:
I wrote simple test-script
#!/bin/bash

make clean
make all
DLL="./lib/.libs/cygcurl-4.dll"
if ! test -s "$DLL"; then
        echo No $DLL
        exit 125
fi
cp -avf $DLL /bin
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" 2>&1 |
grep -qF 'errno 104'
if [ $? -eq 0 ]; then
        exit 1
else
        exit 0
fi

And I bisected git repository with git bisect run. Here is the result.

db1a856b4f7cf6ae334fb0656b26a18eea317000 is the first bad commit
commit db1a856b4f7cf6ae334fb0656b26a18eea317000
Author: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu Jan 19 10:38:14 2012 +0100

    OpenSSL: don't disable security work-around

    OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
    (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
    to SSL_OP_ALL that _disables_ that work-around despite the fact that
    SSL_OP_ALL is documented to do "rather harmless" workarounds.

    The libcurl code uses the SSL_OP_ALL define and thus logically always
    disables the OpenSSL fix.

    In order to keep the secure work-around workding, the
    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
    makes sure of this.

    Reported by: product-security at Apple

I hope this will make reasons more clear

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-06 07:44

Message:
Yes. I can try to use different Cygwin mirrors to find versions in between
and test them.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-03-06 07:31

Message:
Ok, so it returned 56 not 104.

The errno 104 was just additional information about the errno contents at
the time of the error. 104 on my system equals ECONNRESET which would
indicate a problem with the TCP connection.

I can't explain why it would happen with one version and not the other. Any
chance you can try more version in between and see if you can figure out
exactly when it stopped working?

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 22:39

Message:
below is otput of
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" -v -D -
command

* About to connect() to proxy.lan.rarus.ru port 443 (#0)
* Trying 172.20.128.5...
* connected
* Connected to proxy.lan.rarus.ru (172.20.128.5) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/ssl/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: O=RARUS; CN=proxy.lan.rarus.ru
* start date: 2010-05-25 19:10:25 GMT
* expire date: 2012-05-24 19:10:25 GMT
* common name: proxy.lan.rarus.ru (matched)
* issuer: OU=Organizational CA; O=RARUS
* SSL certificate verify result: self signed certificate in certificate
chain (19), continuing anyway.
> GET /BM-Login/?"http://ya.ru/" HTTP/1.1
> User-Agent: curl/7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t
zlib/1.2.5 libidn/1.22 libssh2/1.3.0
> Host: proxy.lan.rarus.ru
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection #0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-03-05 13:13

Message:
Can you please show us the full output you get when you use -v ? There's no
return code 104 in curl/libcurl so it would indicate something truly
weird.

I can't repeat this problem on Linux.

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 07:48

Message:
oops, vice versa
error:
 $ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.3.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

no error:
curl 7.24.0 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp scp
sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM SSL libz

----------------------------------------------------------------------

Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 07:45

Message:
when error is observed
$ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp scp
sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM SSL libz

when no error (rollback libcurl)
$ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.3.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3497051&group_id=976
Received on 2012-03-07

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET