cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: cert verification problem on curl handle re-use

From: Mischa Salle <mischa.salle_at_gmail.com>
Date: Mon, 21 Jan 2013 12:35:24 +0100

Hi Daniel,

yes, this is a 7.15.5 version, which is the latest (and only) version on
RedHat5 based systems. They are patched, the RPM dates from about a year
ago. I didn't have time to look at all the patches in detail. Comparing it
with a RedHat6 based version unfortunately doesn't help, as that also
changes the backend from OpenSSL to NSS...
OpenSSL is really pain if 'someone' is trying to clean-up stuff in
mid-program. Is curl_easy_reset() doing any OpenSSL cleanup? It shouldn't,
right?
All tries were with exactly the same URL. The same website is listening
both on 80 and 443.
The OpenSSL on RH5 is also an old base version, 0.9.8e but RedHat and
CentOS are bringing out frequent security patches (latest from May).

Mischa

On Mon, Jan 21, 2013 at 11:40 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Sun, 20 Jan 2013, Mischa Salle wrote:
>
> I wonder if this has to do with the re-use of the existing connection. I
>> have seen it fail for SLC5.8, CentOS5.6 and CentOS 5.9. From the code it's
>> not clear to me why the connection is being reused.
>>
>
> Are you still referring to the ancient 7.15.5 version from the original
> report or are you suggesting you see something wrong in a modern version?
>
> This said, I can't recall any (such) bugs in the connection re-use logic
> in a very long time.
>
>
> * Re-using existing connection! (#0) with host www.nikhef.nl
>> * Connected to www.nikhef.nl (192.16.199.166) port 443 (#0)
>> So it re-uses the existing connection, while the CentOS based machine
>> starts the second time with:
>>
>
> ...
>
> * Connection #0 to host www.nikhef.nl left intact
>> * About to connect() to www.nikhef.nl port 443
>> * Trying 192.16.199.166... * connected
>> * Connected to www.nikhef.nl (192.16.199.166) port 443
>> * SSL certificate problem, verify that the CA cert is OK. Details:
>>
>
> And this is the exact same resource you're getting?
>
>
> So no NOT reusing the connection, although it is kept open... For plain
>> HTTP, the CentOS is also re-using the connection instead of opening a new
>> one.
>>
>
> It does show separate handling of when the connection can be re-used, yes.
> It does not really explain why it suddenly has a problem with the (ca)
> cert. It could possibly even be a problem with OpenSSL for all we know, as
> I figure you have an outdated such version as well...
>
> --
>
> / daniel.haxx.se
>
> ------------------------------**------------------------------**-------
> List admin: http://cool.haxx.se/list/**listinfo/curl-library<http://cool.haxx.se/list/listinfo/curl-library>
> Etiquette: http://curl.haxx.se/mail/**etiquette.html<http://curl.haxx.se/mail/etiquette.html>
>

-- 
Maasstraat 162-III
1079 BK Amsterdam
The Netherlands
Tel. (+31/0)20-4043782

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-01-21