Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Changes I had to make to libcurl sources for Windows mutual auth to work
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Tuomas Kaikkonen via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 21 Apr 2022 16:04:47 -0700
The server is IIS running on Windows Server 2016 host. We have multiple
asynchronous requests going on at the same time, but I don't think that is
a problem. The first request get is done, but second gets to this point
where it has to do this workaround. I don't recall which one does the TLS
close, but they are doing all kind of TLS handshakes with OSCP and CRL
(mutual auth using client and server cert). Things work ok with the
workaround.
Tuomas Kaikkonen
Principal Software Engineer, WAVE Core, Motorola Solutions
3131 Elliott Ave, Suite 200, Seattle, WA 98121
phone: (425) 919-8973
On Fri, Apr 15, 2022 at 11:57 PM Ray Satiro via curl-library <
curl-library_at_lists.haxx.se> wrote:
> On 4/12/2022 5:56 PM, Tuomas Kaikkonen via curl-library wrote:
> > I had to comment out few lines that check Windows NT version number in
> > order to get curl mutual auth to work with 90m/CAC cards (Windows
> > certificates).
> >
> > Without this change, the curl would close TLS connection after sending
> > only partial data response to all my requests to the IIS.
> > I suspect the curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> > VERSION_EQUAL) is the culprit.
> > I run curl lib on Windows 10 Professional.
> >
> > This is the change I made to curl 7.81.0 sources:
> >
> > diff --git a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > index 0a8e60610d..bd75256c21 100644
> > --- a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > +++ b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > _at__at_ -2052,10 +2052,11 _at__at_ schannel_recv(struct Curl_easy *data, int
> > sockindex,
> > */
> > if(len && !backend->decdata_offset &&
> > backend->recv_connection_closed &&
> > !backend->recv_sspi_close_notify) {
> > - bool isWin2k = curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> > - VERSION_EQUAL);
> > -
> > - if(isWin2k && sspi_status == SEC_E_OK)
> > + //bool isWin2k = curlx_verify_windows_version(5, 0, 0,
> > PLATFORM_WINNT,
> > + // VERSION_EQUAL);
> > + //
> > + //if(isWin2k && sspi_status == SEC_E_OK)
> > + if (sspi_status == SEC_E_OK) /* TPS TKKZZZ */
> > backend->recv_sspi_close_notify = true;
> > else {
> > *err = CURLE_RECV_ERROR;
>
>
> Your change signals that TLS close notify alert was received even when
> it wasn't. That is a hack we have only for Windows 2000 and I don't even
> know who would be using that anymore. Most likely your server isn't
> shutting down the connection properly which is why you don't receive the
> close notify. On the other hand there could be a bug where curl fails to
> detect the close notify. You'd have to use a tool like Wireshark to
> determine how the connection ends.
>
>
> --
> Unsubscribe:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.haxx.se_listinfo_curl-2Dlibrary&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=val8faNRM53jtFY_2cD6NUjJWnBDRY-lKxA_OQL-FTaB5se1ULnaG3_c0uvJs20K&m=Bq_MshpxY9agIg-Pb5BJ0njlE0t8fnLR4gxp7S3UKqTLbp_ty8tc-jEL5cc4hr_1&s=xGu5PQWSAmp1iOeCw-TMwqAJVJidbgDDyyAuYdBG9CQ&e=
> Etiquette:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__curl.haxx.se_mail_etiquette.html&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=val8faNRM53jtFY_2cD6NUjJWnBDRY-lKxA_OQL-FTaB5se1ULnaG3_c0uvJs20K&m=Bq_MshpxY9agIg-Pb5BJ0njlE0t8fnLR4gxp7S3UKqTLbp_ty8tc-jEL5cc4hr_1&s=q7mLh6xrnMt3aMP-zyOH3_2-AQnzxoC3LNALYZkHW-A&e=
>
Date: Thu, 21 Apr 2022 16:04:47 -0700
The server is IIS running on Windows Server 2016 host. We have multiple
asynchronous requests going on at the same time, but I don't think that is
a problem. The first request get is done, but second gets to this point
where it has to do this workaround. I don't recall which one does the TLS
close, but they are doing all kind of TLS handshakes with OSCP and CRL
(mutual auth using client and server cert). Things work ok with the
workaround.
Tuomas Kaikkonen
Principal Software Engineer, WAVE Core, Motorola Solutions
3131 Elliott Ave, Suite 200, Seattle, WA 98121
phone: (425) 919-8973
On Fri, Apr 15, 2022 at 11:57 PM Ray Satiro via curl-library <
curl-library_at_lists.haxx.se> wrote:
> On 4/12/2022 5:56 PM, Tuomas Kaikkonen via curl-library wrote:
> > I had to comment out few lines that check Windows NT version number in
> > order to get curl mutual auth to work with 90m/CAC cards (Windows
> > certificates).
> >
> > Without this change, the curl would close TLS connection after sending
> > only partial data response to all my requests to the IIS.
> > I suspect the curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> > VERSION_EQUAL) is the culprit.
> > I run curl lib on Windows 10 Professional.
> >
> > This is the change I made to curl 7.81.0 sources:
> >
> > diff --git a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > index 0a8e60610d..bd75256c21 100644
> > --- a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > +++ b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> > _at__at_ -2052,10 +2052,11 _at__at_ schannel_recv(struct Curl_easy *data, int
> > sockindex,
> > */
> > if(len && !backend->decdata_offset &&
> > backend->recv_connection_closed &&
> > !backend->recv_sspi_close_notify) {
> > - bool isWin2k = curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> > - VERSION_EQUAL);
> > -
> > - if(isWin2k && sspi_status == SEC_E_OK)
> > + //bool isWin2k = curlx_verify_windows_version(5, 0, 0,
> > PLATFORM_WINNT,
> > + // VERSION_EQUAL);
> > + //
> > + //if(isWin2k && sspi_status == SEC_E_OK)
> > + if (sspi_status == SEC_E_OK) /* TPS TKKZZZ */
> > backend->recv_sspi_close_notify = true;
> > else {
> > *err = CURLE_RECV_ERROR;
>
>
> Your change signals that TLS close notify alert was received even when
> it wasn't. That is a hack we have only for Windows 2000 and I don't even
> know who would be using that anymore. Most likely your server isn't
> shutting down the connection properly which is why you don't receive the
> close notify. On the other hand there could be a bug where curl fails to
> detect the close notify. You'd have to use a tool like Wireshark to
> determine how the connection ends.
>
>
> --
> Unsubscribe:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.haxx.se_listinfo_curl-2Dlibrary&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=val8faNRM53jtFY_2cD6NUjJWnBDRY-lKxA_OQL-FTaB5se1ULnaG3_c0uvJs20K&m=Bq_MshpxY9agIg-Pb5BJ0njlE0t8fnLR4gxp7S3UKqTLbp_ty8tc-jEL5cc4hr_1&s=xGu5PQWSAmp1iOeCw-TMwqAJVJidbgDDyyAuYdBG9CQ&e=
> Etiquette:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__curl.haxx.se_mail_etiquette.html&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=val8faNRM53jtFY_2cD6NUjJWnBDRY-lKxA_OQL-FTaB5se1ULnaG3_c0uvJs20K&m=Bq_MshpxY9agIg-Pb5BJ0njlE0t8fnLR4gxp7S3UKqTLbp_ty8tc-jEL5cc4hr_1&s=q7mLh6xrnMt3aMP-zyOH3_2-AQnzxoC3LNALYZkHW-A&e=
>
-- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-04-22