cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] nss: try to reconnect in case of TLS intolerant server

From: Guenter <lists_at_gknw.net>
Date: Sun, 18 Oct 2009 23:51:11 +0200

Hi,
Kaspar Brand schrieb:
> - libcurl versions compiled against OpenSSL or GnuTLS will most likely
> suffer from the same problem, so maybe an implementation with fallback
> to "extension-less" TLS (or even SSL 3.0) would better go into
> lib/sslgen.c, not into lib/nss.c only?
I tested a curl version build with OpenSSL, and there was no prob with
the mentioned URLs; a curl version build with NSS failed, and -3
'solved' it ...

see attached log.

Gün.

##########################################################################
curl -svI https://www.orange.sk > tmp/broken_tls_servers.txt 2>&1
--------------------------------------------------------------------------
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using AES256-SHA
* Server certificate:
* subject: 1.3.6.1.4.1.311.60.2.1.3=SK; 2.5.4.15=V1.0, Clause 5.(b); serialNumber=35 697 270; C=SK; postalCode=82109; ST=SK; L=Bratislava; streetAddress=Prievozska 6/A; O=Orange Slovakia a.s.; CN=www.orange.sk
* start date: 2009-08-14 00:00:00 GMT
* expire date: 2010-08-14 23:59:59 GMT
* common name: www.orange.sk (matched)
* issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.6 (x86_64-unknown-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8i zlib/1.2.3 libidn/1.10 libssh2/0.19.0-20080814
> Host: www.orange.sk
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 18 Oct 2009 21:45:07 GMT
< Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
< Set-Cookie: JSESSIONID=0a19055130d61c04c6bb3b9440e5b6b897a8feaea215.e3eMbN0LbNiPe3qTb30Oax8Sc40; path=/web
< Expires: Sun, 18 Oct 2009 21:45:17 GMT
< Surrogate-Control: max-age="10"
< Content-Type: text/html; charset=ISO-8859-2
< X-Cache: MISS from www.orange.sk
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 21:45:07 GMT
Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
Set-Cookie: JSESSIONID=0a19055130d61c04c6bb3b9440e5b6b897a8feaea215.e3eMbN0LbNiPe3qTb30Oax8Sc40; path=/web
Expires: Sun, 18 Oct 2009 21:45:17 GMT
Surrogate-Control: max-age="10"
Content-Type: text/html; charset=ISO-8859-2
X-Cache: MISS from www.orange.sk

##########################################################################
nsscurl -svI https://www.orange.sk >> tmp/broken_tls_servers.txt 2>&1
--------------------------------------------------------------------------
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
* CAfile: none
  CApath: none
* NSS error -12226
* Closing connection #0
* SSL connect error
##########################################################################
nsscurl -svI3 https://www.orange.sk >> tmp/broken_tls_servers.txt 2>&1
--------------------------------------------------------------------------
* About to connect() to www.orange.sk port 443 (#0)
* Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
* CAfile: none
  CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=www.orange.sk,O=Orange Slovakia a.s.,OID.2.5.4.9=Prievozska 6/A,L=Bratislava,ST=SK,postalCode=82109,C=SK,serialNumber=35 697 270,OID.2.5.4.15="V1.0, Clause 5.(b)",OID.1.3.6.1.4.1.311.60.2.1.3=SK
* start date: Aug 14 00:00:00 2009 GMT
* expire date: Aug 14 23:59:59 2010 GMT
* common name: www.orange.sk
* issuer: CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7-20090910 (x86_64-unknown-linux-gnu) libcurl/7.19.7-20090910 NSS/3.12.4.5 zlib/1.2.3 libidn/1.10 libssh2/0.19.0-20080814
> Host: www.orange.sk
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 18 Oct 2009 21:46:06 GMT
< Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
< Set-Cookie: JSESSIONID=0a19055a30d782e469d6d3f249aa8374d0af77a39011.e3eNaNiRah4Pe3aSch8Sch0Nay0; path=/web
< Expires: Sun, 18 Oct 2009 21:46:16 GMT
< Surrogate-Control: max-age="10"
< Content-Type: text/html; charset=ISO-8859-2
< X-Cache: MISS from www.orange.sk
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection #0
HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 21:46:06 GMT
Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
Set-Cookie: JSESSIONID=0a19055a30d782e469d6d3f249aa8374d0af77a39011.e3eNaNiRah4Pe3aSch8Sch0Nay0; path=/web
Expires: Sun, 18 Oct 2009 21:46:16 GMT
Surrogate-Control: max-age="10"
Content-Type: text/html; charset=ISO-8859-2
X-Cache: MISS from www.orange.sk

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-18