cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: how to specify SSL version 2 using curl_easy_setopt() ?

From: dev <dev_at_cor0.com>
Date: Tue, 22 Apr 2014 11:54:15 -0400 (EDT)

On April 22, 2014 at 8:47 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Mon, 21 Apr 2014, dev wrote:
>
> > Well that seems to tell me the remote end is a vsFTPd version 2.0.1
> > thing of
> > some sort. It wants me to use sslv2 for some reason and I don't
> > know how to
> > enforce that via curl_easy_setopt().
>
> SSLv2 is insecure and these days often not even supported by SSL
> libraries
> unless you've explicitly made it so and built your own. But
> CURLOPT_SSLVERSION
> is the libcurl option you use and you set it to CURL_SSLVERSION_SSLv2
> if you
> really want to go down that path of tears and pain.

I assure you that I do not want to go down that road. I am as surprised
as the next person that banking EFT data is transfered to a service
which does not support SSLv3. Perhaps I am doing something wrong and I
need to look deeper. Perhaps the problem is that I am seeing the wrong
data because there just is no way that EFT bank transaction data is
processed by an FTP site which does not support up to date security.

Does this look correct to you ?

$ openssl s_client -ssl3 -debug -connect sftp.am.gxsics.com:21
CONNECTED(00000004)
write to 0x1001cdea0 [0x1001ec7f3] (153 bytes => 153 (0x99))
0000 - 16 03 00 00 94 01 00 00-90 03 00 c7 d0 8f 3b e1 ..............;.
0010 - 1a 79 c0 58 67 10 cb c8-ff 64 0d b9 74 b2 58 66 .y.Xg....d..t.Xf
0020 - ed 23 21 fd 24 fe 54 f4-fe 80 01 00 00 68 c0 14 .#!.$.T......h..
0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8......
0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............
0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................
0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070 - 00 2f 00 96 00 41 00 07-c0 11 c0 07 c0 0c c0 02 ./...A..........
0080 - 00 05 00 04 00 15 00 12-00 09 00 14 00 11 00 08 ................
0090 - 00 06 00 03 00 ff 02 01- ........
0099 - <SPACES/NULS>
read from 0x1001cdea0 [0x1001e8293] (5 bytes => 5 (0x5))
0000 - 32 32 30 20 28 220 (
write to 0x1001cdea0 [0x1001f1cc0] (7 bytes => 7 (0x7))
0000 - 15 03 00 00 02 02 28 ......(
18446744071531984868:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398181560
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
That response seems to suggest to me that the FTPs service at
the sftp.am.gxsics.com site can not deal with SSLv3.
Just to verify I force the sslv2 option :
$ openssl s_client -ssl2 -debug -connect sftp.am.gxsics.com:21
CONNECTED(00000004)
write to 0x1001ccdc0 [0x1001e8ab1] (48 bytes => 48 (0x30))
0000 - 80 2e 01 00 02 00 15 00-00 00 10 07 00 c0 05 00  ................
0010 - 80 03 00 80 01 00 80 06-00 40 04 00 80 02 00 80  .........@......
0020 - 05 95 34 9c f1 0f 0b 5d-59 32 7c 44 86 f8 06 59  ..4....]Y2|D...Y
read from 0x1001ccdc0 [0x1001e0a90] (2 bytes => 2 (0x2))
0000 - 32 32                                             22
read from 0x1001ccdc0 [0x1001e0a92] (12851 bytes => 18 (0x12))
0000 - 30 20 28 76 73 46 54 50-64 20 32 2e 30 2e 31 29  0 (vsFTPd 2.0.1)
0010 - 0d 0a                                            ..
^C
I hit CTRL-C there.  Looks like openssl is happy to deal with the FTPs
service at sftp.am.gxsics.com and it is on port 21 no less. Not 990 or
some other well know port for the handling of encrypted data.
My software is quite up to date with the exception of a minor bump in
curl :
$ curl --version
curl 7.34.0 (sparc-sun-solaris2.10) libcurl/7.34.0 OpenSSL/1.0.1g
 zlib/1.2.7 libidn/1.26 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
 pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
So the real question here, and one that I will be asking the banking
folks, is the EFT transfer service of one of the largest banks in all
North America and in fact, the world, using security features old
and long since cracked and broken ?
Dennis
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-04-22

This message: [ Message body ]
Next message: dev: "nightly autobuilds for Solaris 10 Sparc being submitted"
Previous message: Daniel Stenberg: "Re: how to specify SSL version 2 using curl_easy_setopt() ?"
In reply to: Daniel Stenberg: "Re: how to specify SSL version 2 using curl_easy_setopt() ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]