Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: ssl failure, MITM attack?

From: CJ Ess <zxcvbn4038_at_gmail.com>
Date: Thu, 2 Feb 2017 11:41:30 -0500

When connected the site negotiated:

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

In my case there is an upstream proxy that doesn't seem to support TLS 1.2
keeping me from connecting, so the .gov site must have TLS < 1.2 disabled.
If I bypass the proxy then curl seems to connect without issue.

On Thu, Feb 2, 2017 at 2:59 AM, Ray Satiro via curl-users <
curl-users_at_cool.haxx.se> wrote:

> On 2/1/2017 12:10 PM, David Niklas wrote:
>
> I wanted to get a link from a US gov website. firefox was taking all
> eternity, so I decided to use curl.
> My system clock is set correctly, I have an up-to-date system, with
> associated up-to-date certs.
> My problem is that I had to try downloading three times before I got the
> file. The first had the below error, the second stopped part way through.
> I'm curious to know if I'm being MITM attacked.
>
> Linux ulgy_thing 4.4.39-gentoo-nopreempt-dav2 #1 SMP Thu Dec 22 16:14:17
> UTC 2016 x86_64 Intel(R) Pentium(R) CPU 2117U @ 1.80GHz GenuineIntel
> GNU/Linux
>
> My curl version is:
>
> curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2j
> zlib/1.2.11 libidn2/0.11 libssh2/1.7.0 nghttp2/1.10.0 librtmp/2.3
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6
> Largefile GSS-API Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 UnixSockets
> HTTPS-proxy Metalink
>
>
> % curl -vD- -o Downloads/2016-24888.pdfhttps://www.gpo.gov/fdsys/pkg/FR-2016-10-17/pdf/2016-24888.pdf
> % Total % Received
> % Xferd Average Speed Time Time Time Current Dload Upload
> Total Spent Left Speed 0 0 0 0 0 0 0 0
> --:--:-- --:--:-- --:--:--
> 0*
> Trying 162.140.14.20...
> * TCP_NODELAY set
> * Connected to www.gpo.gov (162.140.14.20) port 443 (#0)
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01
> --:--:--
> 0*
> ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: /etc/ssl/certs
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> { [91 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [3517 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [333 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [70 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:11
> --:--:--
> 0*
> Unknown SSL protocol error in connection to www.gpo.gov:443
> * Curl_http_done: called premature == 1
> * stopped the pause stream!
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:12
> --:--:-- 0
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to www.gpo.gov:443
> % echo $?
> 35
>
>
> Is it reproducible? I tried multiple times in the latest all of OpenSSL,
> wolfSSL, mbedTLS and WinSSL both this afternoon and this evening and cannot
> reproduce in any of them. I tried both release 7.52.1 and latest repo
> master. My guess is it was a server problem.
>
> If someone was trying to MITM you maybe they'd take advantage of your SSL
> library (unlikely since you're using the latest version) or have
> certificates not signed by your certificate authority (also unlikely since
> curl will show you an error message in those cases). Whether or not someone
> is doing that to you I don't know, I just think it's unlikely given that it
> dies like that.
>
> There is an SSL issue in curl 7.52.1 that has since been fixed in the repo
> but in the meantime has bit a few people [1]. I'm not sure why it's a
> problem for some people and not others. If you can reproduce your transfer
> problem in 7.52.1 try building curl from the repo with the same OpenSSL and
> see if you can still reproduce, because maybe you are experiencing that
> issue.
>
> [1]: https://github.com/curl/curl/issues/1174
>
>
> -----------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
>

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-02