Menu

#1154 [PATCH] '--tlsauthtype srp' fails to send client username

closed-fixed
SSL/TLS (37)
5
2014-08-27
2012-10-19
No

The --tlsauthtype command-line option will attempt to use TLS-SRP but fail to send the username in the Client Hello message if specified as 'srp' (instead of 'SRP').

This causes the handshake to always fail with: curl: (35) error:1407745B:SSL routines:SSL23_GET_SERVER_HELLO:reason(1115)) (the "Unknown PSK Identity" alert):

/usr/local/bin/curl -ik -vvv --tlsuser alice --tlspassword password123 https://localhost:8443/ --tlsauthtype SRP # works
/usr/local/bin/curl -ik -vvv --tlsuser alice --tlspassword password123 https://localhost:8443/ --tlsauthtype foo # fails with invalid --tlsauthtype, as expected
/usr/local/bin/curl -ik -vvv --tlsuser alice --tlspassword password123 https://localhost:8443/ --tlsauthtype srp # fails with reason(1115) - not expected

--tlsauthtype srp is missing:
TLS client extension "SRP" (id=12), len=6
0000 - 05 61 6c 69 63 65 .alice

This is caused by src/tool_getparam.c doing a case-insensitive comparison using strequal() but lib/url.c using the case-sensitive strncmp().

Patch attached to change lib/url.c to the case-insensitive strnequal() to fix this. Tested on curl 7.28.0 with OpenSSL 1.0.1c.

Discussion

  • Jeff Connelly

    Jeff Connelly - 2012-10-19
     
  • Daniel Stenberg

    Daniel Stenberg - 2012-10-23

    Thanks for the report, this problem is now fixed in the git repository.

    To try it out, you either checkout/update your git clone: http://curl.haxx.se/source.html

    or you try tomorrow's daily snapshot: http://curl.haxx.se/snapshots/

     
  • Daniel Stenberg

    Daniel Stenberg - 2012-10-23
    • status: open --> closed-fixed