cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Making 7.27 problem

From: Jeff McKay <jeff.mckay_at_comaxis.com>
Date: Wed, 10 Oct 2012 09:33:33 -0700

On 10/9/2012 3:58 PM, Jeff McKay wrote:
> On 10/8/2012 9:53 AM, Marc Hoersken wrote:
>> Hi Jeff,
>>
>> 2012/10/8 Jeff McKay<jeff.mckay_at_comaxis.com>:
>>> I tried a quick test of 7.27/WinSSL using my existing application. I
>>> recompiled it using the new import library and headers, and
>>> substituted the new libcurl.dll. No changes to my coding. Initial results
>>> don't look too promising. I basically get the schannel error
>>> "failed to setup extended errors". I've attached the full curl logging.
>>> Since OpenSSL continues to work fine with 7.27 I'm not going
>>> to spend too much time on this, but if anyone has any suggestions about what
>>> the problem might be (perhaps I need to set
>>> some additional curl options?) I would appreciate it.
>> I am not sure if this one applies, but could you try to apply the
>> hotfix that is shown in the following link?
>> http://support.microsoft.com/kb/975858/en-us
>>
>> Another solution would be to (temporarily) remove the following lines
>> from curl source code in lib/curl_schannel.c:
>>
>> if(!(connssl->ret_flags & ISC_RET_EXTENDED_ERROR))
>> failf(data, "schannel: failed to setup extended errors");
>>
>>
> Hi Marc,
>
> I wanted to let you know that installing that patch does seem to get
> Win SSL working. I still have
> to hear from my customer about his situation. You might recall some
> earlier questions I posted about
> a strange problem with our application shutting down in the middle of
> POST operation. My customer
> is pretty sharp and eventually determined that there is some problem
> with OpenSSL's support for
> the cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA". When he reconfigures his
> system to use a different
> cipher, the problem goes away. Unfortunately, his organization
> requires the use of that cipher
> exclusively. So I am hoping that using Win SSL will resolve the issue.

Further information on this: when my customer tries libcurl with
WinSSL, he is getting the error:

schannel: initial InitializeSecurityContext failed:
SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client
and server cannot communicate, because they do not possess a common
algorithm.

Theorizing that TLS is the problem, he disabled it, forcing libcurl to
use SSLv3, and it works. However he cannot
keep TLS disabled. I am going to try CURLOPT_SSLVERSION,
CURL_SSLVERSION_SSLv3. Will this work with WinSSL?
Is there any explanation about why the InitializeSecurityContext error
message happens? If switching to SSLv3
fixes it, then both client and server must have a common algorithm.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-10