Bug 788526
| Summary: | SSL_ERROR_RX_MALFORMED_ALERT when connecting through a proxy | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Richard W.M. Jones <rjones> |
| Component: | curl | Assignee: | Kamil Dudka <kdudka> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | abrt-devel-list, dvlasenk, iprikryl, jmoskovc, kdudka, kklic, mmilata, mtoman, npajkovs, paul, rh-bugzilla |
| Target Milestone: | --- | Keywords: | Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | curl-7.26.0-4.fc18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-15 00:27:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Richard W.M. Jones
2012-02-08 11:25:07 UTC
Very likely a nss or curl problem: using 'xmlrpc' from http://koji.fedoraproject.org/koji/buildinfo?buildID=322409 gives with nss-3.13.4-3.fc17.x86_64, curl-7.24.0-2.fc17.x86_64: ---- $ XMLRPC_TRACE_CURL=1 xmlrpc https://bugzilla.redhat.com/ x * About to connect() to proxy www-cache port 3128 (#0) * Trying 192.168.8.193... * Connected to www-cache (192.168.8.193) port 3128 (#0) * Connected to www-cache (192.168.8.193) port 3128 (#0) * Establish HTTP proxy tunnel to bugzilla.redhat.com:443 > CONNECT bugzilla.redhat.com:443 HTTP/1.1 Host: bugzilla.redhat.com:443 Proxy-Connection: Keep-Alive Content-Type: text/xml User-Agent: Xmlrpc-c/1.29.3 Curl/7.24.0 < HTTP/1.0 200 Connection established < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=bugzilla.redhat.com,OU=Information Technology,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=bcTlha1YkNcz9-M0vAzRilv01xaCkiRQ * start date: Jan 31 18:26:47 2011 GMT * expire date: Mar 04 23:43:36 2013 GMT * common name: bugzilla.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12250 (SSL_ERROR_RX_MALFORMED_ALERT) * Closing connection #0 --- The second CAfile/CApath line (which does not appear in plain curl -v https://bugzilla.redhat.com/ ) indicates that there happens some TLS renegotiation or so. Same xmlrpc-c on a RHEL6.2 machine (nss-3.13.1-7.el6_2.i686, curl-7.19.7-26.el6_1.2.x86_64): --- * Proxy replied OK to CONNECT request * Initializing NSS with certpath: /etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=bugzilla.redhat.com,OU=Information Technology,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=bcTlha1YkNcz9-M0vAzRilv01xaCkiRQ * start date: Jan 31 18:26:47 2011 GMT * expire date: Mar 04 23:43:36 2013 GMT * common name: bugzilla.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * Connected to www-cache (192.168.8.193) port 3128 (#0) > POST / HTTP/1.1 Host: bugzilla.redhat.com Accept: */* Content-Type: text/xml User-Agent: Xmlrpc-c/1.29.3 Curl/7.19.7 --- Reassigning to curl because this seems to happen only, when communication goes through a proxy: | $ https_proxy= MALLOC_PERTURB_= XMLRPC_TRACE_CURL=1 ./xmlrpc https://www.google.com x | | * About to connect() to www.google.com port 443 (#0) | * Trying 173.194.69.103... | ... | * issuer: CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA | > POST / HTTP/1.1 | Host: www.google.com | $ https_proxy=http://www-cache:3128 MALLOC_PERTURB_= XMLRPC_TRACE_CURL=1 ./xmlrpc https://www.google.com x | * About to connect() to proxy www-cache port 3128 (#0) | * Trying 192.168.8.193... | ... | * issuer: CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA | * NSS error -12250 (SSL_ERROR_RX_MALFORMED_ALERT) minimal example:
----
#include <curl/curl.h>
int main(int argc, char *argv[]) {
CURL *e = curl_easy_init();
CURLM *m = curl_multi_init();
int r;
curl_easy_setopt(e, CURLOPT_URL, argv[1]);
curl_easy_setopt(e, CURLOPT_VERBOSE, 1L);
curl_multi_add_handle(m, e);
do {
curl_multi_perform(m, &r);
} while (r > 0);
return r;
}
----
Thanks for the reproducer! It looks like curl tries to initiate a SSL handshake on a socket with an already established SSL connection. git-bisect points to the following commit: https://github.com/bagder/curl/commit/3c18b38 I have pushed a fix upstream: https://github.com/bagder/curl/commit/68857e4 fixed in curl-7.26.0-3.fc18 sorry, I meant curl-7.26.0-4.fc18 curl-7.24.0-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/curl-7.24.0-4.fc17 Package curl-7.24.0-4.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.24.0-4.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9214/curl-7.24.0-4.fc17 then log in and leave karma (feedback). curl-7.24.0-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |