cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Different curl version talking to 1and1 exchange server

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Fri, 28 Nov 2014 13:28:20 -0600

> On Nov 27, 2014, at 5:04 PM, Dave Hodgkinson <davehodg_at_gmail.com> wrote:
>
> Chaps,
>
> If anyone can help, that would be awesome! Kinda flailing a little here. $boss did some curl to talk to a 1&1 Exchange server (2010 I think). His script worked fine on curl 7.32, it seems to negotiate SSLv3:
>
> * About to connect() to 1.exchange.1and1.eu port 443 (#0)
> * Trying 217.160.154.197...
> * Adding handle: conn: 0x7fdda1808400
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 0 (0x7fdda1808400) send_pipe: 1, recv_pipe: 0
> * Connected to 1.exchange.1and1.eu (217.160.154.197) port 443 (#0)
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: C=DE; O=1&1 Internet AG; ST=Rhineland-Palatinate; L=Montabaur; emailAddress=server-certs_at_1und1.de; CN=1.exchange.1and1.eu
> * start date: 2014-04-28 08:05:43 GMT
> * expire date: 2017-05-03 23:59:59 GMT
> * subjectAltName: 1.exchange.1and1.eu matched
> * issuer: C=DE; O=T-Systems International GmbH; OU=T-Systems Trust Center; ST=Nordrhein Westfalen; postalCode=57250; L=Netphen; street=Untere Industriestr. 20; CN=TeleSec ServerPass DE-2
> * SSL certificate verify ok.
> * Server auth using NTLM with user 'him_at_crowdca.lc'
> > POST /EWS/Exchange.asmx HTTP/1.1
> > Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> > User-Agent: curl/7.32.0
>
> etc.
>
> However, my Mac and Ubuntu VMs on 7.37.1 (and also compiled latest) seem to decide that TLS is the way forward and fail horribly:
>
> * Hostname was NOT found in DNS cache
> * Trying 217.160.154.197...
> * Connected to 1.exchange.1and1.eu (217.160.154.197) port 443 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> * Server certificate: 1.exchange.1and1.eu
> * Server certificate: TeleSec ServerPass DE-2
> * Server certificate: Deutsche Telekom Root CA 2
> * Server auth using NTLM with user 'him_at_crowdca.lc'
> > POST /EWS/Exchange.asmx HTTP/1.1
> > Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> > User-Agent: curl/7.37.1
> > Accept: */*
> > x-lwp-version: 6.08
> > x-xml-libxml-version: 2.0105
> > x-xml-compile-version: 1.47
> > x-xml-compile-cache-version: 1.02
> > x-xml-compile-soap-version: 3.05
> > Host: 1.exchange.1and1.eu
> > Content-Type: text/xml; charset=utf-8
> > soapaction: "http://schemas.microsoft.com/exchange/services/2006/messages/GetFolder"
> >
> < HTTP/1.1 411 Length Required
> < Content-Type: text/html; charset=us-ascii
> * Server Microsoft-HTTPAPI/2.0 is not blacklisted
> < Server: Microsoft-HTTPAPI/2.0
> < Date: Thu, 27 Nov 2014 17:40:10 GMT
> < Connection: close
> < Content-Length: 344
> <
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
> <HTML><HEAD><TITLE>Length Required</TITLE>
> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
> <BODY><h2>Length Required</h2>
> <hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
> </BODY></HTML>
> * Closing connection 0
>
>
> This is just for a proof of concept. Is there a way of getting the more recent version to do what the old one did? I've tried switches like -3 and coercing ciphers but no no avail.

This actually has nothing to do with SSLv3 and TLS. What you are seeing is the output of two different TLS back-ends. The OpenSSL back-end always says "SSLv3, TLS" while it's doing the handshake, and will tell you the cipher-suite, but it doesn't tell you the real SSL or TLS protocol in use. The Secure Transport back-end (used by Apple's curl) will tell you both the protocol and the cipher-suite in use.

In fact, SSLv3 is now deprecated, and you shouldn't use it anymore. It looks like your server supports TLS 1.2, which is great.

The problem here is, it is highly unusual to send a POST command to a server without providing any data to upload, but that is what you are doing in the second output, and the server is trying to tell you that it expected data but received none. I see the Content-Type: header was set, which is good, but you need to give curl some data to upload.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-28