curl-users
Re: ssl failure, MITM attack?
Date: Thu, 2 Feb 2017 11:41:30 -0500
When connected the site negotiated:
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
In my case there is an upstream proxy that doesn't seem to support TLS 1.2
keeping me from connecting, so the .gov site must have TLS < 1.2 disabled.
If I bypass the proxy then curl seems to connect without issue.
On Thu, Feb 2, 2017 at 2:59 AM, Ray Satiro via curl-users <
curl-users_at_cool.haxx.se> wrote:
> On 2/1/2017 12:10 PM, David Niklas wrote:
>
> I wanted to get a link from a US gov website. firefox was taking all
> eternity, so I decided to use curl.
> My system clock is set correctly, I have an up-to-date system, with
> associated up-to-date certs.
> My problem is that I had to try downloading three times before I got the
> file. The first had the below error, the second stopped part way through.
> I'm curious to know if I'm being MITM attacked.
>
> Linux ulgy_thing 4.4.39-gentoo-nopreempt-dav2 #1 SMP Thu Dec 22 16:14:17
> UTC 2016 x86_64 Intel(R) Pentium(R) CPU 2117U @ 1.80GHz GenuineIntel
> GNU/Linux
>
> My curl version is:
>
> curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2j
> zlib/1.2.11 libidn2/0.11 libssh2/1.7.0 nghttp2/1.10.0 librtmp/2.3
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6
> Largefile GSS-API Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 UnixSockets
> HTTPS-proxy Metalink
>
>
> % curl -vD- -o Downloads/2016-24888.pdfhttps://www.gpo.gov/fdsys/pkg/FR-2016-10-17/pdf/2016-24888.pdf
> % Total % Received
> % Xferd Average Speed Time Time Time Current Dload Upload
> Total Spent Left Speed 0 0 0 0 0 0 0 0
> --:--:-- --:--:-- --:--:--
> 0*
> Trying 162.140.14.20...
> * TCP_NODELAY set
> * Connected to www.gpo.gov (162.140.14.20) port 443 (#0)
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01
> --:--:--
> 0*
> ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: /etc/ssl/certs
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> { [91 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [3517 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [333 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [70 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:11
> --:--:--
> 0*
> Unknown SSL protocol error in connection to www.gpo.gov:443
> * Curl_http_done: called premature == 1
> * stopped the pause stream!
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:12
> --:--:-- 0
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to www.gpo.gov:443
> % echo $?
> 35
>
>
> Is it reproducible? I tried multiple times in the latest all of OpenSSL,
> wolfSSL, mbedTLS and WinSSL both this afternoon and this evening and cannot
> reproduce in any of them. I tried both release 7.52.1 and latest repo
> master. My guess is it was a server problem.
>
> If someone was trying to MITM you maybe they'd take advantage of your SSL
> library (unlikely since you're using the latest version) or have
> certificates not signed by your certificate authority (also unlikely since
> curl will show you an error message in those cases). Whether or not someone
> is doing that to you I don't know, I just think it's unlikely given that it
> dies like that.
>
> There is an SSL issue in curl 7.52.1 that has since been fixed in the repo
> but in the meantime has bit a few people [1]. I'm not sure why it's a
> problem for some people and not others. If you can reproduce your transfer
> problem in 7.52.1 try building curl from the repo with the same OpenSSL and
> see if you can still reproduce, because maybe you are experiencing that
> issue.
>
> [1]: https://github.com/curl/curl/issues/1174
>
>
> -----------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
>
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-02