cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl and https problem

From: Daan Try <daan.try_at_gmail.com>
Date: Fri, 02 Sep 2011 09:22:14 +0200

On 02-Sep-11 09:00, Daniel Stenberg wrote:
> As the error message says, you get problems because the server seems
> to ask for an "unsafe legacy renegotiation" and modern TLS
> implementations will not agree to do that as that's a major security
> problem. Possibly you can ask the admins of the particular server
> about this.
Is it the server that asks for this? That seems weird because my
provider claims they tightened the SSL settings. Isn't it my
application that requests the legacy renegotiation and the server
refusing that? I think I am missing some curl_easy_setopt that enables
the non-legacy SSL negatiations.

Code snippet of my program:

         curl = curl_easy_init();
         if(curl)
         {
             /* URLEncode the strings */
             encoded_msg = curl_easy_escape(curl, msg.rawtxt, 0);
             encoded_key = curl_easy_escape(curl, crypt(msg.rawtxt,
params->key), 0);
             snprintf(station_id_string, 15, "%d", params->station_id);
             snprintf(time_string, 31, "%ld", (long)msg.timestamp);
             snprintf(testing_string, 16, "%d", params->testing);

             // Reset the pointers and create the form
             formpost = NULL;
             lastptr = NULL;
             curl_formadd(&formpost,
&lastptr,
                          CURLFORM_COPYNAME, "feed_station",
                          CURLFORM_COPYCONTENTS, station_id_string,
                          CURLFORM_END);

             /* Fill in the timestamp field */
             curl_formadd(&formpost,
&lastptr,
                          CURLFORM_COPYNAME, "timestamp",
                          CURLFORM_COPYCONTENTS, time_string,
                          CURLFORM_END);

             /* Fill in the testing field */

... more curl_formadd() statements here ...

             /* initalize custom header list (stating that Expect:
100-continue is not wanted */
             headerlist = curl_slist_append(NULL, buf);
             /* what URL that receives this POST */
             curl_easy_setopt(curl, CURLOPT_URL, params->post_url);
             curl_easy_setopt(curl, CURLOPT_HTTPPOST, formpost);
             /* No HTTPS certificate checks */
             curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
             curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
             /* Make to https request */
             curl_result = curl_easy_perform(curl);
             curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &return_code);
             // Check HTTPrequest result
             if((curl_result != CURLE_OK) || (return_code != 200))
             {
                 write_log(LOG_WARNING, "Failed to upload record. HTTP
response code %ld", return_code);
             }
             /* always cleanup */
             curl_free(encoded_msg);
             curl_free(encoded_key);

             /* free slist */
             curl_slist_free_all(headerlist);
             /* then cleanup the formpost chain */
             curl_formfree(formpost);

             // Done
             curl_easy_cleanup(curl);
         }

>
> I found a decent summary of the renegotiation problem here:
> http://lwn.net/Articles/362234/
Thanks. I'll study this.

>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-09-02