Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Since 7.88 https over unix socket's no longer connects to the server #10633

Closed
jelly opened this issue Feb 27, 2023 · 6 comments
Closed

Since 7.88 https over unix socket's no longer connects to the server #10633

jelly opened this issue Feb 27, 2023 · 6 comments
Assignees
@icing
Labels
connecting & proxies TLS

Comments

@jelly
Copy link

jelly commented Feb 27, 2023

I did this

[root@archlinux ~]# curl --verbose -k --unix-socket /run/cockpit/sock https://dummy
* Failed to connect to dummy port 443 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to dummy port 443 after 0 ms: Couldn't connect to server

I expected the following

[root@archlinux ~]# curl --version
curl 7.87.0 (x86_64-pc-linux-gnu) libcurl/7.87.0 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10.0 nghttp2/1.52.0
Release-Date: 2022-12-21
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
[root@archlinux ~]# curl --verbose -k --unix-socket /run/cockpit/sock https://dummy
*   Trying /run/cockpit/sock:0...
* Connected to dummy (/run/cockpit/sock) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: O=f6f18ce3ae304513a29797a70aff0e85; CN=archlinux
*  start date: Feb 27 19:25:23 2023 GMT
*  expire date: Mar 28 19:25:23 2024 GMT
*  issuer: O=f6f18ce3ae304513a29797a70aff0e85; CN=archlinux
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: dummy
> User-Agent: curl/7.87.0
> Accept: */*

note

Connecting over http:// works fine:

[root@archlinux ~]# curl --verbose -k --unix-socket /run/cockpit/sock http://dummy
*   Trying /run/cockpit/sock:0...
* Connected to dummy (/run/cockpit/sock) port 80 (#0)
> GET / HTTP/1.1
> Host: dummy
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Content-Security-Policy: connect-src 'self' http://dummy ws://dummy; form-action 'self' http://dummy; base-uri 'self' http://dummy; object-src 'none'; font-src 'self' http://dummy data:; img-src 'self' http://dummy data:; block-all-mixed-content; default-src 'self' http://dummy 'unsafe-inline'
< Set-Cookie: cockpit=deleted; PATH=/; SameSite=strict; HttpOnly
< Transfer-Encoding: chunked
< Cache-Control: no-cache, no-store
< X-DNS-Prefetch-Control: off
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< Cross-Origin-Resource-Policy: same-origin
< X-Frame-Options: sameorigin
<
<!DOCTYPE html>

curl/libcurl version

curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10.0 nghttp2/1.52.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Linux archlinux 6.1.12-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 14 Feb 2023 22:08:08 +0000 x86_64 GNU/Linux
@jelly jelly mentioned this issue Feb 27, 2023
Merged
1 task
@bagder
Copy link
Member

bagder commented Feb 27, 2023
edited

@icing assigning this to you, as I believe it is in your backyard. If not, let me know.

@dfandrich
Copy link
Contributor

dfandrich commented Feb 27, 2023 via email

@jelly
Copy link
Author

jelly commented Feb 27, 2023

I bisected the issue down to 71b7e01 using a simple socat one liner socat unix-listen:/tmp/socket tcp-connect:localhost:9090

@jelly jelly mentioned this issue Feb 28, 2023
Closed
icing added a commit to icing/curl that referenced this issue Feb 28, 2023
@icing
Fixing unix domain socket use in https connects.
873f9fc 
- refs curl#10633, when h2/h3 eyeballing was involved, unix domain socket
  configurations were not honoured
- configuring --unix-socket will disable HTTP/3 as candidate for eyeballing
- combinatino of --unix-socket and --http3-only will fail during initialisation
- adding pytest test_11 to reproduce
@icing icing mentioned this issue Feb 28, 2023
Closed
@icing
Copy link
Contributor

icing commented Feb 28, 2023

Thanks for the details. I created #10641 to fix this.

In short: the new HTTP/2 vs HTTP/3 eyeballing code did not properly take configured unix sockets into account and always tried TCP for https: connections.

@bagder bagder closed this as completed in a4d015e Feb 28, 2023
@dfandrich dfandrich mentioned this issue Mar 7, 2023
Closed
@linggao
Copy link

linggao commented Mar 7, 2023

When will be the next release with this fix? Currently 7.88.1 breaks our important functions.

@icing
Copy link
Contributor

icing commented Mar 7, 2023
edited

The next release is curl 8.0.0 scheduled for March 20th.

(curl8 is fully compatible to 7.88 and introduces no new features)

bch pushed a commit to bch/curl that referenced this issue Jul 19, 2023
@icing @bch
http: fix unix domain socket use in https connects
65fb22d 
- when h2/h3 eyeballing was involved, unix domain socket
  configurations were not honoured
- configuring --unix-socket will disable HTTP/3 as candidate for eyeballing
- combinatino of --unix-socket and --http3-only will fail during initialisation
- adding pytest test_11 to reproduce

Reported-by: Jelle van der Waa
Fixes curl#10633
Closes curl#10641
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icing icing

Labels
connecting & proxies TLS
Milestone
No milestone
Development

No branches or pull requests
5 participants
@icing @jelly @bagder @dfandrich @linggao