Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: "server closed abruptly (missing closed notify)" with WinSSL but not OpenSSL

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 15 Jun 2019 13:18:00 -0400

On 6/14/2019 7:51 PM, Josh Handley via curl-library wrote:
> I'm using libcurl 7.65.1/WinSSL to send a GET request to an Apache
> server endpoint to download some JSON. On one particular server (it is
> running Apache 2.4.6 on Red Hat Enterprise) I'm getting
> CURLE_RECV_ERROR. Running with the debug callback I see messages from
> schannel that the server has closed the connection abruptly (see
> below). The same request works fine when using curl built with
> OpenSSL. Even with WinSSL this works with other Apache servers. Other
> GET endpoints on the server are working correctly although those have
> smaller responses. Looking at the debug info I can see that the full
> response is downloaded and decrypted before I get the error. Any ideas
> on what could be the cause? Any Apache configuration or libcurl
> changes I could try to remedy this?

It appears there is no known termination point (content length or
chunked encoding) in the server reply and so in that case curl will keep
reading until the server closes the connection. Note the "HTTP 1.0,
assume close after body". Since it is an SSL connection curl w/schannel
will look for a close_notify alert from the server (another accepted
termination point). However in your case the SSL connection appears to
be closed unclean (ie no close_notify) therefore there's no known
termination point. I made that an error in schannel to avoid a
truncation attack (when an attacker can prematurely terminate a
connection to cause a truncated file which may cause some purpose not
intended). I think most other SSL backends it is also an error but for
legacy reasons we don't do the same for OpenSSL and maybe some other.
Eventually I hope to change this for OpenSSL as well but only for the
newest version to phase it out but not break anything.

As far as I am concerned this is a server issue, it needs to give any
termination point discussed.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-06-15