cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Bug#685402: libcurl3-gnutls: curl_easy_perform() fails with error 35 (SSL connect error)

From: Alessandro Ghedini <al3xbio_at_gmail.com>
Date: Mon, 20 Aug 2012 19:35:50 +0200

[ CCing curl-library mailing list ]

Hi,

On Mon, Aug 20, 2012 at 04:03:38PM +0200, Olivier Berger wrote:
> I've compiled the https.c example (http://curl.haxx.se/libcurl/c/https.html),
> adapted to connect to fusionforge.int-evry.fr on port 443, adding :
> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
> #define SKIP_PEER_VERIFICATION 1
> #define SKIP_HOSTNAME_VERIFICATION 1
> with :
> $ gcc -g -o https https.c -l curl
>
> I'm getting :
> $ ./https
> * About to connect() to fusionforge.int-evry.fr port 443 (#0)
> * Trying 157.159.11.57...
> * connected
> * Connected to fusionforge.int-evry.fr (157.159.11.57) port 443 (#0)
> * found 0 certificates in /etc/ssl/certs/ca-certificates.crt
> * gnutls_handshake() failed: A TLS warning alert has been received.
> * Closing connection #0
> * SSL connect error
> curl_easy_perform() failed: error 35
> curl_easy_perform() failed: SSL connect error
>
> It looks like a handshake error, but I cannot manage to go any further at understanding the problem.

Seems like something on the server-side, but AFAICT it only happens with GnuTLS:

> % gnutls-cli --insecure -p 443 fusionforge.int-evry.fr
> [...]
> *** Non fatal error: A TLS warning alert has been received.
> *** Received alert [112]: The server name sent was not recognized
> [...]

Though, being a non-fatal error, IMO curl shouldn't fail (in fact gnutls-cli
proceeds fine after the warning). Also, maybe showing the actual alert instead
of "A TLS warning alert has been received" would be nice too.

Attached is a patch that calls gnutls_error_is_fatal() on the gnutls_handshake()
error code to check if it's fatal. Though I'm not sure if it is the correct fix.

I'll do some additional testing ASAP (when I'll have a bit of time), but in the
meantime any comment is appreciated.

Attached also a minimal test case.

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-diff attachment: 0001-gnutls-do-not-fail-on-non-fatal-handshake-errors.patch

text/x-csrc attachment: test_685402.c

application/pgp-signature attachment: Digital signature

Received on 2012-08-20

This message: [ Message body ]
Next message: Nick Zitzmann: "Re: One or more libs available at link-time are not available run-time"
Previous message: Jeremy Hughes: "Re: One or more libs available at link-time are not available run-time"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]