Bug 2071631

Summary: [tr_TR] curl: (35) error:03000072:digital envelope routines::decode error with LANG=tr_TR.utf8
Product: Red Hat Enterprise Linux 9 Reporter: Bhushan Barve <bbarve>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 9.0CC: asosedki, cllang, crypto-team, dbelyavs, extras-qa, fzatlouk, kborole, mjahoda, mspacek, mturk, petersen, pkis, pvlasin, sahana, szidek, thunderbirdtr, tm
Target Milestone: rcKeywords: i18n, Regression, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-3.0.1-23.el9_0 Doc Type: Bug Fix
Doc Text:
.OpenSSL-based applications now work correctly with the Turkish locale Because the `OpenSSL` library uses case-insensitive string comparison functions, OpenSSL-based applications did not work correctly with the Turkish locale, and omitted checks caused applications using this locale to crash. This update provides a patch to use the Portable Operating System Interface (POSIX) locale for case-insensitive string comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish locale.
 Story Points: ---
Clone Of: 2071343
: 2072997 2076654 (view as bug list) Environment:
Last Closed: 2022-05-25 15:49:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2071343    
Bug Blocks: 2072997, 2076654    

Description Bhushan Barve 2022-04-04 12:04:36 UTC 
+++ This bug was initially created as a clone of Bug #2071343 +++

Description of problem:
With openssl-3.0.0:

$ LANG=tr_TR.utf8 curl -L https://google.com
Segmentation fault (core dumped)

and openssl-3.0.2 in F36+:

$ LANG=tr_TR.utf8 curl -L https://google.com
curl: (35) error:03000072:digital envelope routines::decode error

This is also affecting rpm-ostree:
see the original report at
https://github.com/fedora-silverblue/issue-tracker/issues/241

Version-Release number of selected component (if applicable):
openssl-libs-3.0.2-1.fc36.x86_64

How reproducible:
100%

Steps to Reproduce:
0. install glibc-langpack-tr if glibc-all-langpacks not installed
1. LANG=tr_TR.utf8 curl -Lv https://google.com

Actual results:
*   Trying 142.251.12.100:443...
* Connected to google.com (142.251.12.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, bad certificate (554):
* error:03000072:digital envelope routines::decode error
* Closing connection 0
curl: (35) error:03000072:digital envelope routines::decode error

or a segfault with 3.0.0.

Expected results:
No error, as with other locales.

Additional info:
My naive guess is that maybe some glibc char function might be being misused, which is only triggered by some particular locale(s) like Turkish?

--- Additional comment from Onuralp Sezer on 2022-04-03 13:08:20 UTC ---
Comment 2 FrantiĊĦek Zatloukal 2022-04-04 14:42:20 UTC 
Let's not make a el9 bug a Fedora FE since we have duplicate report for Fedora.
Comment 20 Clemens Lang 2022-05-25 15:49:05 UTC 
See https://bugzilla.redhat.com/show_bug.cgi?id=2076654#c15:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4583