Bugs item #3497051, was opened at 2012-03-05 07:41
Message generated for change (Comment added) made by alexzapped
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3497051&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Alexey Shumkin (alexzapped)
Assigned to: Daniel Stenberg (bagder)
Summary: libcurl v7.24 exits with err 104 while connectin https host
Initial Comment:
At my work I have HTTP-proxy with pre-authorization to access internet. To skip manual authorization I use curl under Cygwin to send auth-form to server.
Recently after an update of Cygwin to 1.7.11 this script has appeared to be broken - curl exits with err 104. After investigation a test script was simplified to
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" --trace - -D -
to reproduce the error.
Also I discovered that libcurl update to v7.24 (was v7.20) caused this behavior. After manual rollback libcurl-4.dll to previuos version test-script works well.
See attachments:
----------------------------------------------------------------------
>Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 02:06
Message:
May be "my" proxy acts wrong? But browsers work well with it.
----------------------------------------------------------------------
Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-07 02:02
Message:
I wrote simple test-script
#!/bin/bash
make clean
make all
DLL="./lib/.libs/cygcurl-4.dll"
if ! test -s "$DLL"; then
echo No $DLL
exit 125
fi
cp -avf $DLL /bin
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" 2>&1 |
grep -qF 'errno 104'
if [ $? -eq 0 ]; then
exit 1
else
exit 0
fi
And I bisected git repository with git bisect run. Here is the result.
db1a856b4f7cf6ae334fb0656b26a18eea317000 is the first bad commit
commit db1a856b4f7cf6ae334fb0656b26a18eea317000
Author: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu Jan 19 10:38:14 2012 +0100
OpenSSL: don't disable security work-around
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.
The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.
In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.
Reported by: product-security at Apple
I hope this will make reasons more clear
----------------------------------------------------------------------
Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-06 07:44
Message:
Yes. I can try to use different Cygwin mirrors to find versions in between
and test them.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2012-03-06 07:31
Message:
Ok, so it returned 56 not 104.
The errno 104 was just additional information about the errno contents at
the time of the error. 104 on my system equals ECONNRESET which would
indicate a problem with the TCP connection.
I can't explain why it would happen with one version and not the other. Any
chance you can try more version in between and see if you can figure out
exactly when it stopped working?
----------------------------------------------------------------------
Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 22:39
Message:
below is otput of
curl -3 -k https://proxy.lan.rarus.ru/BM-Login/?\"http://ya.ru/\" -v -D -
command
* About to connect() to proxy.lan.rarus.ru port 443 (#0)
* Trying 172.20.128.5...
* connected
* Connected to proxy.lan.rarus.ru (172.20.128.5) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: O=RARUS; CN=proxy.lan.rarus.ru
* start date: 2010-05-25 19:10:25 GMT
* expire date: 2012-05-24 19:10:25 GMT
* common name: proxy.lan.rarus.ru (matched)
* issuer: OU=Organizational CA; O=RARUS
* SSL certificate verify result: self signed certificate in certificate
chain (19), continuing anyway.
> GET /BM-Login/?"http://ya.ru/" HTTP/1.1
> User-Agent: curl/7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t
zlib/1.2.5 libidn/1.22 libssh2/1.3.0
> Host: proxy.lan.rarus.ru
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection #0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2012-03-05 13:13
Message:
Can you please show us the full output you get when you use -v ? There's no
return code 104 in curl/libcurl so it would indicate something truly
weird.
I can't repeat this problem on Linux.
----------------------------------------------------------------------
Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 07:48
Message:
oops, vice versa
error:
$ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.3.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz
no error:
curl 7.24.0 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp scp
sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM SSL libz
----------------------------------------------------------------------
Comment By: Alexey Shumkin (alexzapped)
Date: 2012-03-05 07:45
Message:
when error is observed
$ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp scp
sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM SSL libz
when no error (rollback libcurl)
$ curl -V
curl 7.24.0 (i686-pc-cygwin) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5
libidn/1.22 libssh2/1.3.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3497051&group_id=976
Received on 2012-03-07