Bug 1286973

Summary: curl 7.19.7 doesn't properly handle TLS traffic
Product: Red Hat Enterprise Linux 6 Reporter: Geoff <geoffrey>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: geoffrey
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-22 12:25:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geoff 2015-12-01 09:28:48 UTC 
Description of problem:

curl 7.19.7 doesn't properly handle TLS traffic when using flags like --ftp-ssl to connect to FTP servers securely.  


Version-Release number of selected component (if applicable):

7.19.7

How reproducible:

This was reproducible 100% of the time when tested.  

Steps to Reproduce:
1. Use curl to connect to FTP using --ftp-ssl or --ftp-ssl-reqd 

Actual results:

[~]# curl -v  -k --ftp-ssl-reqd ftp://cpgeoff0.info -u cpgeoff:******
* About to connect() to cpgeoff0.info port 21 (#0)
*   Trying 10.1.7.117... connected
* Connected to cpgeoff0.info (10.1.7.117) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 23:15. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
> USER cpgeoff
< 331 User cpgeoff OK. Password required
> PASS *****
< 230 OK. Current restricted directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Extended Passive mode OK (|||60642|)
*   Trying 10.1.7.117... No route to host
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
> PASV
< 227 Entering Passive Mode (10,1,7,117,154,58)
*   Trying 10.1.7.117... connected
* Connecting to 10.1.7.117 (10.1.7.117) port 39482
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Doing the SSL/TLS handshake on the data stream
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
* Maxdownload = -1
* Remembering we are in dir ""
* FTP response reading failed
* Connection #0 to host cpgeoff0.info left intact
curl: (56) FTP response reading failed
> QUIT
* FTP response reading failed
* Closing connection #0

An ssldump being run on the actual FTP server shows this:

# ssldump -i eth0 -aAdH port 21
New TCP connection #1: 10.1.7.135(57302) <-> ge.off.rey(21)
0.0074 (0.0074)  S>C
---------------------------------------------------------------
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 23:15. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
---------------------------------------------------------------

0.0079 (0.0005)  C>S
---------------------------------------------------------------
AUTH SSL
---------------------------------------------------------------

0.0082 (0.0002)  S>C
---------------------------------------------------------------
500 This security scheme is not implemented
---------------------------------------------------------------

0.0084 (0.0002)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0085 (0.0000)  S>C
---------------------------------------------------------------
234 AUTH TLS OK.
---------------------------------------------------------------

1 1  0.0862 (0.0776)  C>S V3.1(94)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          62 00 3d 70 ad 81 a8 3a a9 04 45 11 de b0 e8 8a
          d4 2d 3a f4 da 99 cb 2e f1 61 da 9e 10 ce 99 19
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.0896 (0.0034)  S>C V3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          56 56 95 8d 76 fc 9c 4c 63 a2 ad 23 b6 a9 c8 bd
          ba 18 1d 76 e4 88 6f 3e b5 88 9c ed 97 ee 12 6d
        session_id[32]=
          dd f0 ab b3 d4 49 f8 3e eb 35 44 16 09 16 9f 9b
          f9 13 1a c1 58 a6 29 57 78 c9 df 6c 29 1b e4 21
        cipherSuite         TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        compressionMethod                   NULL
1 3  0.0896 (0.0000)  S>C V3.1(833)  Handshake
      Certificate
1 4  0.0897 (0.0000)  S>C V3.1(781)  Handshake
      ServerKeyExchange
        params
          DH_p[256]=
            ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
            c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
            02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
            ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
            4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
            f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
            ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
            49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
            98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
            83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
            9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
            f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
            e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
            b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
            39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
            15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
          DH_g[1]=
            02
          DH_Ys[256]=
            e3 1a 43 42 f4 be 59 17 c5 9a 66 98 79 ee 92 96
            3e 26 b0 a3 b5 1c 35 54 8d 01 00 c3 be 52 c7 40
            a3 bc b2 cd 89 02 da 7e 06 1b 90 bb 21 32 4b 59
            21 ad 8b aa f0 28 25 6a da 9c a7 2a 98 fc 49 a3
            0e f4 05 27 47 21 c7 04 ec 24 03 72 dd d6 26 a7
            b0 ba 70 9e 71 3d 41 7b 71 d3 5e 98 d9 47 c9 14
            1c c9 3b 48 2f 96 b1 ff 9e c5 c3 b7 70 b1 8c 25
            88 57 d3 64 ba 3a 4f 7b 1f 96 cc ca b0 4b ad b6
            26 c2 a6 50 0f ce 70 30 d7 2c ef 68 fa 22 89 81
            1b b8 20 71 bb 6c 50 a6 a2 8f 40 b9 d3 86 82 ea
            12 a3 4e db 7e 8f 95 8a f5 0f 3c e5 ea b3 78 2c
            b4 bb de e1 51 f5 b9 03 cc df be f4 9f 49 75 9f
            6b eb e4 37 f7 78 21 a8 5e e7 d4 67 08 9e 68 eb
            ec 69 22 5e eb 32 e7 6a 72 67 cc 43 5f dc f7 73
            16 ff 91 a0 de ca c9 08 86 8c cc b0 49 3f 8e 37
            7f 1b 64 ed 52 5d 48 4b 0e e5 b2 e4 b1 c9 92 c2
        signature[256]=
          2e d6 8b ca 9b b7 4a 53 cf 68 87 50 f5 5a 1a 09
          e9 93 57 51 dc d7 a0 e9 93 26 f3 d0 b9 0d fe 2a
          10 9b 27 77 15 aa eb b1 14 84 37 bc 0b e8 4c 54
          6d 93 1e b5 f2 37 66 85 4d e4 e5 b4 47 3e a9 b8
          bd 49 31 b6 77 99 17 af 9e bb 92 2f a1 d9 11 64
          42 15 50 90 b3 00 0f 18 04 34 5a 35 49 fd 55 53
          2b 95 ca a0 15 e0 d0 6c 6c f7 b4 3e ae e7 8b 5b
          3b 79 7e c9 fd 0c 45 d2 d4 0f 83 48 0a 03 ba 6c
          db c4 a3 a0 69 30 97 f4 98 c4 f6 83 2e 8c 55 cb
          88 69 92 03 19 0a 69 af 88 20 d7 12 ec 6e 7f 60
          62 19 30 a7 fd 36 5f fa 57 59 2c 97 ea b1 58 6c
          b0 2b 8f 4a 99 b6 67 cc 6f e9 32 c3 c6 03 a7 60
          1a 51 c4 c6 97 38 f7 4b 6a f0 62 9b 94 32 57 aa
          26 5c bd 91 17 4f 45 c5 fd 50 db a3 73 0b d8 bf
          82 92 8b 86 2b 9b ba 1f c6 0f 2b 73 d2 39 59 8c
          79 12 2d c5 50 5d cc cb 71 0b 35 a3 05 0f fc 8f
1 5  0.0897 (0.0000)  S>C V3.1(4)  Handshake
      ServerHelloDone
1 6  0.0938 (0.0040)  C>S V3.1(262)  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[256]=
          db ef ba 3d 9d a1 51 de 38 d8 49 a4 2d 69 49 84
          ae a4 01 f7 f4 f3 da d7 86 e9 5e 70 3c 0a b0 04
          87 33 2b 37 ee 71 53 09 3f 31 74 54 37 86 40 b2
          17 18 03 1a c6 a6 46 eb cd 2b 7b 4b 15 c9 8d 84
          44 34 37 4f ab ef ed 49 8e 76 2c 17 1a 2a 1e 31
          15 38 15 79 b6 de 87 49 1e c7 2e 0f 83 ae 9f 77
          f4 fe 86 f5 d0 78 1b be 0c 31 89 e7 cd 1a 8b b1
          b1 53 36 97 61 30 26 8a 74 f8 b2 1e 89 45 1f 03
          18 22 9c 32 2a c2 18 79 e6 6d b1 0c ac 2d 91 a6
          66 b1 db 00 7f 39 9b c4 47 5c 7f 0e 59 a1 b5 46
          b5 be a5 8a c2 75 8c f4 37 96 1a 57 20 dc 82 d6
          34 0c 3f 71 70 ce 28 7b 70 2a 7f fb 0d 03 6f 51
          9a f9 9a a9 56 15 5d ee 30 b3 39 7d a8 70 fe 69
          f1 d1 56 89 90 1d 59 5e 0e 82 f4 1b 9b 19 b8 51
          3c 48 dc bb a6 9c 42 ab 38 a4 7c 4a af 69 a6 44
          e9 e2 48 be 7e dc a1 e6 d7 ae b3 88 c6 66 8f 2e
1 7  0.0938 (0.0000)  C>S V3.1(1)  ChangeCipherSpec
1 8  0.0938 (0.0000)  C>S V3.1(48)  Handshake
1 9  0.0999 (0.0060)  S>C V3.1(1)  ChangeCipherSpec
1 10 0.0999 (0.0000)  S>C V3.1(48)  Handshake
1 11 0.1004 (0.0005)  C>S V3.1(64)  application_data
1 12 0.1005 (0.0001)  S>C V3.1(32)  application_data
1 13 0.1005 (0.0000)  S>C V3.1(80)  application_data
1 14 0.1008 (0.0002)  C>S V3.1(48)  application_data
1 15 0.2231 (0.1222)  S>C V3.1(32)  application_data
1 16 0.2231 (0.0000)  S>C V3.1(64)  application_data
1 17 0.2238 (0.0007)  C>S V3.1(32)  application_data
1 18 0.2240 (0.0001)  S>C V3.1(32)  application_data
1 19 0.2240 (0.0000)  S>C V3.1(48)  application_data
1 20 0.2245 (0.0004)  C>S V3.1(32)  application_data
1 21 0.2246 (0.0000)  S>C V3.1(32)  application_data
1 22 0.2246 (0.0000)  S>C V3.1(80)  application_data
1 23 0.2251 (0.0004)  C>S V3.1(32)  application_data
1 24 0.2252 (0.0000)  S>C V3.1(32)  application_data
1 25 0.2252 (0.0000)  S>C V3.1(64)  application_data
1 26 0.2263 (0.0011)  C>S V3.1(32)  application_data
1 27 0.2265 (0.0001)  S>C V3.1(32)  application_data
1 28 0.2265 (0.0000)  S>C V3.1(64)  application_data
1 29 0.2276 (0.0010)  C>S V3.1(32)  application_data
1 30 0.2277 (0.0001)  S>C V3.1(32)  application_data
1 31 0.2277 (0.0000)  S>C V3.1(80)  application_data
1 32 0.2300 (0.0022)  C>S V3.1(32)  application_data
1 33 0.2301 (0.0001)  S>C V3.1(32)  application_data
1 34 0.2301 (0.0000)  S>C V3.1(48)  application_data
1 35 0.2313 (0.0011)  C>S V3.1(32)  application_data
1 36 0.2314 (0.0001)  S>C V3.1(32)  application_data
1 37 0.2314 (0.0000)  S>C V3.1(64)  application_data
1    0.2491 (0.0176)  S>C  TCP FIN
1 38 0.2500 (0.0008)  C>S V3.1(32)  application_data

Expected results:

[~]# curl -v  -k --ftp-ssl-reqd ftp://cpgeoff0.info -u cpgeoff:******
* About to connect() to cpgeoff0.info port 21 (#0)
*   Trying 10.1.7.117... connected
* Connected to cpgeoff0.info (10.1.7.117) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 23:19. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
> USER cpgeoff
< 331 User cpgeoff OK. Password required
> PASS ******
< 230 OK. Current restricted directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Extended Passive mode OK (|||30223|)
*   Trying 10.1.7.117... connected
* Connecting to 10.1.7.117 (10.1.7.117) port 30223
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Doing the SSL/TLS handshake on the data stream
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
* Maxdownload = -1
drwxr-xr-x    2 cpgeoff0   cpgeoff0         4096 Nov 25 22:12 .
drwxr-xr-x    2 cpgeoff0   cpgeoff0         4096 Nov 25 22:12 ..
-rw-------    1 cpgeoff0   cpgeoff0            4 Nov 25 22:12 .ftpquota
* Remembering we are in dir ""
< 226-Options: -a -l
< 226 3 matches total
* Connection #0 to host cpgeoff0.info left intact
> QUIT
< 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
< 221 Logout.
* Closing connection #0

ssldump from working test

 [~]# ssldump -i eth0 -aAdH port 21
New TCP connection #1: 10.1.7.135(57395) <-> ge.off.rey(21)
0.0109 (0.0109)  S>C
---------------------------------------------------------------
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 23:19. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
---------------------------------------------------------------

0.0114 (0.0004)  C>S
---------------------------------------------------------------
AUTH SSL
---------------------------------------------------------------

0.0115 (0.0001)  S>C
---------------------------------------------------------------
500 This security scheme is not implemented
---------------------------------------------------------------

0.0118 (0.0002)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0123 (0.0005)  S>C
---------------------------------------------------------------
234 AUTH TLS OK.
---------------------------------------------------------------

1 1  0.0853 (0.0730)  C>S V3.1(94)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          88 2c ca 8c b3 9b 4f 69 3c 7d b9 b3 70 e8 d1 c1
          48 67 01 36 9e e8 94 a8 e4 5a 0b f4 90 d5 81 3b
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.0892 (0.0038)  S>C V3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          56 56 96 7f 2c db f0 aa 22 6b 43 6b 2e f1 42 04
          b7 ae 11 05 e4 6a 2f cd 55 27 77 3d ce 58 00 41
        session_id[32]=
          c1 f3 5f d0 c6 4b 66 d7 b9 a5 d2 cc 08 0a 22 e2
          d1 21 bb e3 97 28 0d 2f 54 b2 60 ce 25 ab 54 54
        cipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
1 3  0.0892 (0.0000)  S>C V3.1(833)  Handshake
      Certificate
1 4  0.0893 (0.0001)  S>C V3.1(525)  Handshake
      ServerKeyExchange
        params
          DH_p[128]=
            f4 88 fd 58 4e 49 db cd 20 b4 9d e4 91 07 36 6b
            33 6c 38 0d 45 1d 0f 7c 88 b3 1c 7c 5b 2d 8e f6
            f3 c9 23 c0 43 f0 a5 5b 18 8d 8e bb 55 8c b8 5d
            38 d3 34 fd 7c 17 57 43 a3 1d 18 6c de 33 21 2c
            b5 2a ff 3c e1 b1 29 40 18 11 8d 7c 84 a7 0a 72
            d6 86 c4 03 19 c8 07 29 7a ca 95 0c d9 96 9f ab
            d0 0a 50 9b 02 46 d3 08 3d 66 a4 5d 41 9f 9c 7c
            bd 89 4b 22 19 26 ba ab a2 5e c3 55 e9 2f 78 c7
          DH_g[1]=
            02
          DH_Ys[128]=
            02 41 a8 04 25 04 2f bd 17 2e fe 47 fa db 0a 1e
            76 c8 50 83 29 0f a2 8f de 8d a3 0b ea 55 65 c0
            4d ae 5b 08 d3 a0 67 1b c5 60 f8 64 8d d8 9e 7e
            e4 c3 45 88 92 25 cc e7 ad bc f2 3c f0 64 ab 3d
            23 45 ee cf 5c 27 c5 3d 3b 58 21 34 87 ce a3 92
            f4 ac 98 f9 2d 25 3b 26 c4 76 06 62 64 ae b0 41
            42 29 de 14 ce 97 1f a5 86 80 0d 9a 32 48 b8 3a
            8a e4 c8 c2 73 08 4d a6 94 2d 11 1c f6 c4 c4 23
        signature[256]=
          0d 14 b2 11 5f dc c0 ef 31 40 db 82 41 f1 8f 85
          b3 6e 92 19 4d 3f 47 3e 27 0c fa 96 40 c3 fc c2
          10 fa 5e 70 d3 5c 15 99 fe 30 fa 62 5a 26 ff 29
          e4 da b0 2d 6f 50 91 37 d8 8f a3 7c 96 15 2c e9
          1a 4f 1a 68 da 29 d7 1c 57 cd f1 29 b8 29 08 4d
          d1 94 0e d3 d0 68 77 5b 3a 0c 81 66 dd 52 b2 0b
          27 dd 66 e9 6c 40 0c 81 7c 8e 3e 9a 87 bf 4d 92
          af 57 f0 3b 78 91 16 7c d5 de d7 cc 12 04 05 7b
          56 2e 4e 65 92 1f 33 ec 08 2f d2 9c 0d 14 96 bf
          f8 82 97 34 a9 bb b0 9c 04 2c e2 9d 93 a5 9c bc
          4b c7 b2 f8 7b e2 f6 44 bd 66 a3 70 76 ba cb 3a
          a0 57 c1 ad fd 51 b9 45 db a1 46 68 c5 d6 c8 0d
          bb 48 b7 01 24 0f fb ba 07 e8 c3 99 3b 9a 8b 02
          3c 00 e3 92 3f 7c cc 8f 1e 1d 30 8d 70 c4 99 9d
          e6 f1 75 75 00 7c 82 ee 01 00 f3 4b 81 d0 a8 49
          d7 be 01 61 4f 29 7a ad 15 08 2d 09 27 9d 65 23
1 5  0.0893 (0.0000)  S>C V3.1(4)  Handshake
      ServerHelloDone
1 6  0.0920 (0.0027)  C>S V3.1(134)  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[128]=
          52 ac 5b 6c 09 8a 5b 96 ca 6a a2 5d 7a 17 09 aa
          a9 9b 8e 06 22 44 31 47 ee 59 6f 0c 80 e1 a9 f0
          2b 93 d7 cf d5 95 46 5d 6f e7 df a8 fd 7f 94 1d
          81 75 10 8c 53 8b b9 0a 39 34 be ba df 16 61 9a
          4a 96 69 90 69 7b 5e 41 bb 91 b5 d9 57 55 b5 c7
          53 24 01 c8 6e 7c 5d de a2 fb 0b 95 e6 f7 33 3c
          06 d1 ea 5c 4e 6c 5a 9c e6 a7 06 ac 57 9b b6 4e
          e8 1b 81 d5 8d d7 e4 43 3e 01 84 42 92 b5 72 ba
1 7  0.0920 (0.0000)  C>S V3.1(1)  ChangeCipherSpec
1 8  0.0920 (0.0000)  C>S V3.1(48)  Handshake
1 9  0.0935 (0.0015)  S>C V3.1(1)  ChangeCipherSpec
1 10 0.0935 (0.0000)  S>C V3.1(48)  Handshake
1 11 0.0940 (0.0004)  C>S V3.1(64)  application_data
1 12 0.0941 (0.0001)  S>C V3.1(80)  application_data
1 13 0.0944 (0.0002)  C>S V3.1(48)  application_data
1 14 0.2360 (0.1416)  S>C V3.1(64)  application_data
1 15 0.2366 (0.0005)  C>S V3.1(32)  application_data
1 16 0.2368 (0.0002)  S>C V3.1(48)  application_data
1 17 0.2373 (0.0004)  C>S V3.1(32)  application_data
1 18 0.2374 (0.0001)  S>C V3.1(80)  application_data
1 19 0.2379 (0.0004)  C>S V3.1(32)  application_data
1 20 0.2379 (0.0000)  S>C V3.1(64)  application_data
1 21 0.2384 (0.0004)  C>S V3.1(32)  application_data
1 22 0.2390 (0.0005)  S>C V3.1(64)  application_data
1 23 0.2408 (0.0018)  C>S V3.1(32)  application_data
1 24 0.2410 (0.0001)  S>C V3.1(48)  application_data
1 25 0.2412 (0.0002)  C>S V3.1(32)  application_data
1 26 0.2413 (0.0001)  S>C V3.1(64)  application_data
1 27 0.2507 (0.0093)  S>C V3.1(48)  application_data
1 28 0.2509 (0.0001)  S>C V3.1(48)  application_data
1 29 0.2520 (0.0011)  C>S V3.1(32)  application_data
1 30 0.2521 (0.0001)  S>C V3.1(80)  application_data
1 31 0.2521 (0.0000)  S>C V3.1(48)  application_data
1 32 0.2528 (0.0006)  C>S V3.1(32)  Alert
1    0.2529 (0.0000)  C>S  TCP FIN
1    0.2530 (0.0000)  S>C  TCP RST

Additional info:

N/A
Comment 2 Kamil Dudka 2015-12-01 11:25:24 UTC 
I tried curl-7.19.7-46.el6 and it communicated just fine over TLS with a vsftpd server running on localhost.  Please provide the exact NVRs of curl and nss packages:

$ rpm -aq {,lib}curl\* nss\* | sort -V
Comment 3 Geoff 2015-12-01 11:31:13 UTC 
[/]# rpm -aq {,lib}curl\* nss\* | sort -V
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
nss-3.19.1-5.el6_7.x86_64
nss-softokn-3.14.3-23.el6_7.x86_64
nss-softokn-freebl-3.14.3-23.el6_7.x86_64
nss-sysinit-3.19.1-5.el6_7.x86_64
nss-tools-3.19.1-5.el6_7.x86_64
nss-util-3.19.1-2.el6_7.x86_64

Sorry, I meant to actually add this information when I initially submitted the case.
Comment 4 Kamil Dudka 2015-12-01 11:49:38 UTC 
I updated to the above listed versions of packages and curl still works just fine.  Please provide a self-contained reproducer, either against a publicly available server, or a locally installable server.
Comment 5 Kamil Dudka 2015-12-22 12:25:12 UTC 
Closing until the info required in comment #4 is provided.
Comment 6 Red Hat Bugzilla 2023-09-14 03:14:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days