cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem using FTPS through HTTP Proxy (crash in cURL library)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 13 Sep 2006 09:48:30 +0200 (CEST)

On Tue, 12 Sep 2006, Rocha, Marcos wrote:

> I'm using the cURL library for implementing a FTPS client that connects to a
> FTPS server based on the QuickServer Java Library
> (http://www.quickserver.org/). Everything works fine, if I directly connect
> to the server. However, if I connect to the server through a HTTP-Proxy and
> encryption is enabled (FTPS), I get a segmentation fault on the cURL client
> (uninitialized pointer). For the client-server communication I'm using FTPS
> with implicit SSL protection - that means that both the control and the data
> channel are encrypted.

Explicit FTPS also usually have both connections encrypted...

> By enabling cURL's debugging option and by instrumenting the source code I
> was able to find out the reason for the crash. Everything works fine for the
> control connection. The segmentation fault occurs, when the cURL library
> tries to establish the data connection through the HTTP-Proxy

I take it you're "tunneling" through the proxy (using CONNECT) when you do
this, aren't you?

> cURL erroneously assumes that the Connection-Request to the HTTP-Proxy (for
> setting-up the data channel) is SSL encrypted. Then it calls SSL_write
> passing a non-initialized ssl-handle, which leads to a crash in the libssl.

I'm not really following here. Why is that connection not encrypted then?

> I have a fix for this misbehavior. However, I'm not sure if this is the most
> elegant fix... Maybe someone has another idea, how this should be fixed?

I'm not quite understanding what you're doing so I can't really comment on
what the best fix would be.

> My fix simply introduces a check for the initialization of the SSL handle.
> If the handle has not been initialized, data is simply read/written from/to
> the socket without any encryption. After the SSL connection through the
> proxy is established the data gets encrypted as usual.

I see what your suggested change does but I don't see why you need it. And
BTW, consider using 'diff -u' to produce patches for posting.

Can you please provide us with a sample source code for an application that
repeats this problem of yours?

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2006-09-13