Bug 1260678

Summary:	Certificate verification fails with multiple https urls [el6/nss]
Product:	Red Hat Enterprise Linux 6	Reporter:	Hubert Kario <hkario>
Component:	nss	Assignee:	Daiki Ueno <dueno>
Status:	CLOSED ERRATA	QA Contact:	Hubert Kario <hkario>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.7	CC:	alexander.naumann, aurelien, ben.r.xiao, bugzilla, desintegr, dueno, emaldona, fedora, FlorianFranzen, kdudka, kengert, ksrot, michal.bruncko, mtolson, nkinder, qe-baseos-security, redhatbugs, red-hat-bugzilla, redhat-bugzilla, redhat, rhbug, robert.scheck, wvoyek
Target Milestone:	rc	Keywords:	Patch
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	nss-3.27.1-2.el6	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1241172
Clones:	1269660 (view as bug list)		Environment:
Last Closed:	2017-03-21 10:25:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1241172
Bug Blocks:	1269194, 1269660, 1343211

Description Hubert Kario 2015-09-07 12:46:50 UTC

Issue also present on RHEL 6.7.z with
nss-3.19.1-3.el6_6.x86_64
curl-7.19.7-46.el6.x86_64

+++ This bug was initially created as a clone of Bug #1241172 +++

Description of problem:

Programs using curl or libcurl return HTTP 400 error on subsequent https calls because certificate verification fails. If only one url is requested at a time, verification succeeds.


Version-Release number of selected component (if applicable):

  curl-7.29.0-19.el7.x86_64
  php-5.4.16-36.el7_1.x86_64
  nss-3.19.1-3.el7_1.x86_64


How reproducible:

[user@host htdocs]# curl -v -I https://owncloud.org/ https://www.owncloud.org/
  * About to connect() to owncloud.org port 443 (#0)
  *   Trying 50.30.33.236...
  * Connected to owncloud.org (50.30.33.236) port 443 (#0)
  * Initializing NSS with certpath: sql:/etc/pki/nssdb
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  * Server certificate:
  * 	subject: CN=www.owncloud.org,OU=Domain Control Validated
  * 	start date: Feb 09 23:47:38 2015 GMT
  * 	expire date: Dec 10 10:32:11 2015 GMT
  * 	common name: www.owncloud.org
  * 	issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
  > HEAD / HTTP/1.1
  > User-Agent: curl/7.29.0
  > Host: owncloud.org
  > Accept: */*
  > 
  < HTTP/1.1 200 OK
  [...]
  
  * Connection #0 to host owncloud.org left intact
  * About to connect() to www.owncloud.org port 443 (#1)
  *   Trying 50.30.33.236...
  * Connected to www.owncloud.org (50.30.33.236) port 443 (#1)
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  * Server certificate:
  * 	subject: CN=www.owncloud.org,OU=Domain Control Validated
  * 	start date: Feb 09 23:47:38 2015 GMT
  * 	expire date: Dec 10 10:32:11 2015 GMT
  * 	common name: www.owncloud.org
  * 	issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
  > HEAD / HTTP/1.1
  > User-Agent: curl/7.29.0
  > Host: www.owncloud.org
  > Accept: */*
  > 
  < HTTP/1.1 400 Bad Request
  [...]
  * Closing connection 1

The only difference I can see is that
  Initializing NSS with certpath: sql:/etc/pki/nssdb
is present on the first call but not on the second. CAfile is mentioned on both calls.

Steps to Reproduce:
1. curl -v -I https://owncloud.org/ https://www.owncloud.org/
2.
3.

Actual results:
HTTP/1.1 200 OK
HTTP/1.1 400 Bad Request


Expected results:
HTTP/1.1 200 OK (for https://owncloud.org/)
HTTP/1.1 301 Moved Permanently (for https://www.owncloud.org/)


Additional info:

This also happens with php 5.6.10 and curl-7.43, both compiled from Fedora src rpm for RHEL7 but only when --with-nss (default) is used. Compiled with --with-ssl (openssl) curl/libcurl/php works as expected.

This prevents e.g. owncloud from working properly (apps / external data cannot be loaded)

--- Additional comment from Kamil Dudka on 2015-07-08 12:33:22 EDT ---

This looks like bug #1104597 (nss bug), will have a look tomorrow.

--- Additional comment from Benjamin Xiao on 2015-07-08 14:01:45 EDT ---

Also seeing this on Fedora 22 with up-to-date standard php and curl packages.

--- Additional comment from Kamil Dudka on 2015-07-09 04:50:19 EDT ---

(In reply to Kamil Dudka from comment #1)
> This looks like bug #1104597 (nss bug), will have a look tomorrow.

Confirmed.  Attachment #902122 [details] fixes the bug.  Flipping the component to nss.

--- Additional comment from Stefan Neufeind on 2015-07-25 16:18:33 EDT ---

I've heard rumours this also affacts RHEL6, so we might require a backport as well then.

--- Additional comment from Kamil Dudka on 2015-09-03 05:02:58 EDT ---

A patch for this bug (attachment #902122 [details]) was proposed more than a year ago.  Could you please have a look at that?

Comment 1 Kamil Dudka 2015-09-18 16:04:41 UTC

There is a workaround for curl suggested by Mozilla upstream:

https://github.com/bagder/curl/commit/958d2ffb

Comment 3 Hubert Kario 2015-11-04 12:19:26 UTC

Kamil, I can verify that it is fixed in Fedora 22 version of curl, do you plan to implement the same workaround in RHEL?

Comment 4 Kamil Dudka 2015-11-04 12:25:47 UTC

Yes, assuming the fix gets approved.  See bug #1269660 and bug #1269855.

Comment 5 Robert Scheck 2016-05-19 18:02:46 UTC

Cross-filed case 01637758 on the Red Hat customer portal to get this moved on.

Comment 6 Hubert Kario 2016-05-20 09:44:00 UTC

The issue was fixed on the curl side and released in the 6.8.0 release, see bug 1269660.

In the solution provided by the new curl package not sufficient?

Comment 7 Robert Scheck 2016-05-20 11:16:24 UTC

Taking https://github.com/owncloud/core/issues/16255#issuecomment-112481294
and "curl -v -I https://owncloud.org/ https://www.owncloud.org/" as the test
cases:

RHEL 6.7: Does not work (returns 200/400)
RHEL 6.8: Works (returns 200/301)

Thus you are right, curl-7.19.7-52.el6 as shipped with RHEL 6.8 solves this
issue. I didn't verify RHEL 6.8 after I noticed that RHEL 7 is still affected.
So, let's close this one?

Comment 8 Hubert Kario 2016-05-20 12:22:03 UTC

As Kamil said in the RHEL-7 version of the bug, we don't yet have a reason to not fix it in NSS itself.

So I don't think it is necessary to close this bug just yet.

Comment 9 Robert Scheck 2016-05-20 12:30:54 UTC

Oh, yes, sorry. I got confused about NSS vs. curl. So yes, while the curl
issue is solved, the NSS one (this RHBZ) isn't yet. Makes sense to get this
fixed as well :)

Comment 18 errata-xmlrpc 2017-03-21 10:25:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0671.html