Bug 1044446
Summary: | curl does not work with https://api.mercadolibre.com/ after update to RHEL-6.5 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marcop <marcopinho> |
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> |
Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.6 | CC: | cleaver-redhat, davids, gms8994, hkario, marcopinho, nkinder, rrelyea, thoger, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-09 19:34:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcop
2013-12-18 10:42:56 UTC
For reference, this link will call out the incompatibility with "newer protocol versions" https://www.ssllabs.com/ssltest/analyze.html?d=api.mercadolibre.com&s=216.33.196.77 With openssl-1.0.1e installed, this will hang during the handshake: openssl s_client -msg -connect api.mercadolibre.com:443 This is a bug in the F5/BIG-IP devices: see https://www.imperialviolet.org/2013/10/07/f5update.html We will try to workaround it. *** Bug 1042908 has been marked as a duplicate of this bug. *** During this week's technicians MyHosting.com did the downgrade, access worked fine for a few hours, but unfortunately they forgot to turn off the auto-update, thus returning the bugged version to be installed on the server, now the answer technicians myhosting.com is is that "is not possible downgrade". Dear, how to downgrade properly? (until it is fixed the problem) just tried to uninstall the current version: rpm -e --nodeps openssl-devel-1.0.1e-16.el6_5.x86_64 rpm -e --nodeps openssl-1.0.1e-16.el6_5.x86_64 and install a functional version: rpm -Uvh openssl-1.0.0-27.el6_4.2.x86_64.rpm rpm -Uvh openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm But I get no SSH access after logging off the system. Thanks again. You should be able to workaround the bug with using CURLOPT_SSL_CIPHER_LIST. If you limit the cipher list somehow for example by disabling export ciphers and a few others, it will make the client hello smaller and the connection to those broken SSL servers will not hang. Use for example: curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"); Dear Tomaz, the option that sends me results in an empty search, I tried several others and unfortunately all that worked to make slower research, I am currently using a server with Ubuntu to make reading the file, I hope the problem is resolved, the most soon as possible, since myhosting unable to downgrade. Thanks again. I do not quite understand - are you saying that adding curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"); Does not work? It works for me fine. I added the parameters in my PHP, on my VPS, the result was an empty return, gave no error, you can post the full code of your research? Thank you again. (In reply to Tomas Mraz from comment #8) > I do not quite understand - are you saying that adding > curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"); This should not help on Red Hat Enterprise Linux 6, as curl there uses nss, not openssl. To change cipher suites list, that would need to be adjusted to something nss can parse. http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLCIPHERLIST Also the script in comment 0 can be used with RHEL-6 php+curl to fetch the url mentioned in the same comment. Heh, so I was actually confused with the mentioned wget above which uses openssl. And so this is not really openssl request but nss one. (In reply to Tomas Mraz from comment #11) > Heh, so I was actually confused with the mentioned wget above which uses > openssl. And so this is not really openssl request but nss one. Well, no, RHEL-6 curl/nss works with that site. openssl/wget does not. If php+curl does not work, reporter may be using some custom curl packages, or there's some other important information missing in this report. The issue does not seem to reproduce with nss, even when tls 1.1+ is enabled and ssl2 hello disabled. Tested with tstclnt, as curl does not enable tls 1.1+. tstclnt -d /etc/pki/nssdb/ -h api.mercadolibre.com -p 443 -o -V ssl3:tls1.2 As the curl_setopt workaround I posted does not work it seems that it is really compiled against nss even in his case, so this is definitely not an openssl problem. I'm not saying that wget+openssl works though. This has been shown to work with NSS in the comments mentioned in the bug. In addition, there has not been a reproducer provided that shows that this fails with NSS. This bug is no quite old, and we can't go any further on it with more information. Closing this as CANTFIX. If this is still a problem and there is a reproducer, it can be reopened. |