Bug 1260678 - Certificate verification fails with multiple https urls [el6/nss]
Certificate verification fails with multiple https urls [el6/nss]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
6.7
Unspecified Linux
unspecified Severity high
: rc
: ---
Assigned To: Daiki Ueno
Hubert Kario
: Patch
Depends On: 1241172
Blocks: 1269194 1343211 1269660
  Show dependency treegraph
 
Reported: 2015-09-07 08:46 EDT by Hubert Kario
Modified: 2017-03-21 06:25 EDT (History)
23 users (show)

See Also:
Fixed In Version: nss-3.27.1-2.el6
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1241172
: 1269660 (view as bug list)
Environment:
Last Closed: 2017-03-21 06:25:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2015-09-07 08:46:50 EDT
Issue also present on RHEL 6.7.z with
nss-3.19.1-3.el6_6.x86_64
curl-7.19.7-46.el6.x86_64

+++ This bug was initially created as a clone of Bug #1241172 +++

Description of problem:

Programs using curl or libcurl return HTTP 400 error on subsequent https calls because certificate verification fails. If only one url is requested at a time, verification succeeds.


Version-Release number of selected component (if applicable):

  curl-7.29.0-19.el7.x86_64
  php-5.4.16-36.el7_1.x86_64
  nss-3.19.1-3.el7_1.x86_64


How reproducible:

[user@host htdocs]# curl -v -I https://owncloud.org/ https://www.owncloud.org/
  * About to connect() to owncloud.org port 443 (#0)
  *   Trying 50.30.33.236...
  * Connected to owncloud.org (50.30.33.236) port 443 (#0)
  * Initializing NSS with certpath: sql:/etc/pki/nssdb
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  * Server certificate:
  * 	subject: CN=www.owncloud.org,OU=Domain Control Validated
  * 	start date: Feb 09 23:47:38 2015 GMT
  * 	expire date: Dec 10 10:32:11 2015 GMT
  * 	common name: www.owncloud.org
  * 	issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
  > HEAD / HTTP/1.1
  > User-Agent: curl/7.29.0
  > Host: owncloud.org
  > Accept: */*
  > 
  < HTTP/1.1 200 OK
  [...]
  
  * Connection #0 to host owncloud.org left intact
  * About to connect() to www.owncloud.org port 443 (#1)
  *   Trying 50.30.33.236...
  * Connected to www.owncloud.org (50.30.33.236) port 443 (#1)
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  * Server certificate:
  * 	subject: CN=www.owncloud.org,OU=Domain Control Validated
  * 	start date: Feb 09 23:47:38 2015 GMT
  * 	expire date: Dec 10 10:32:11 2015 GMT
  * 	common name: www.owncloud.org
  * 	issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
  > HEAD / HTTP/1.1
  > User-Agent: curl/7.29.0
  > Host: www.owncloud.org
  > Accept: */*
  > 
  < HTTP/1.1 400 Bad Request
  [...]
  * Closing connection 1

The only difference I can see is that
  Initializing NSS with certpath: sql:/etc/pki/nssdb
is present on the first call but not on the second. CAfile is mentioned on both calls.

Steps to Reproduce:
1. curl -v -I https://owncloud.org/ https://www.owncloud.org/
2.
3.

Actual results:
HTTP/1.1 200 OK
HTTP/1.1 400 Bad Request


Expected results:
HTTP/1.1 200 OK (for https://owncloud.org/)
HTTP/1.1 301 Moved Permanently (for https://www.owncloud.org/)


Additional info:

This also happens with php 5.6.10 and curl-7.43, both compiled from Fedora src rpm for RHEL7 but only when --with-nss (default) is used. Compiled with --with-ssl (openssl) curl/libcurl/php works as expected.

This prevents e.g. owncloud from working properly (apps / external data cannot be loaded)

--- Additional comment from Kamil Dudka on 2015-07-08 12:33:22 EDT ---

This looks like bug #1104597 (nss bug), will have a look tomorrow.

--- Additional comment from Benjamin Xiao on 2015-07-08 14:01:45 EDT ---

Also seeing this on Fedora 22 with up-to-date standard php and curl packages.

--- Additional comment from Kamil Dudka on 2015-07-09 04:50:19 EDT ---

(In reply to Kamil Dudka from comment #1)
> This looks like bug #1104597 (nss bug), will have a look tomorrow.

Confirmed.  Attachment #902122 [details] fixes the bug.  Flipping the component to nss.

--- Additional comment from Stefan Neufeind on 2015-07-25 16:18:33 EDT ---

I've heard rumours this also affacts RHEL6, so we might require a backport as well then.

--- Additional comment from Kamil Dudka on 2015-09-03 05:02:58 EDT ---

A patch for this bug (attachment #902122 [details]) was proposed more than a year ago.  Could you please have a look at that?
Comment 1 Kamil Dudka 2015-09-18 12:04:41 EDT
There is a workaround for curl suggested by Mozilla upstream:

https://github.com/bagder/curl/commit/958d2ffb
Comment 3 Hubert Kario 2015-11-04 07:19:26 EST
Kamil, I can verify that it is fixed in Fedora 22 version of curl, do you plan to implement the same workaround in RHEL?
Comment 4 Kamil Dudka 2015-11-04 07:25:47 EST
Yes, assuming the fix gets approved.  See bug #1269660 and bug #1269855.
Comment 5 Robert Scheck 2016-05-19 14:02:46 EDT
Cross-filed case 01637758 on the Red Hat customer portal to get this moved on.
Comment 6 Hubert Kario 2016-05-20 05:44:00 EDT
The issue was fixed on the curl side and released in the 6.8.0 release, see bug 1269660.

In the solution provided by the new curl package not sufficient?
Comment 7 Robert Scheck 2016-05-20 07:16:24 EDT
Taking https://github.com/owncloud/core/issues/16255#issuecomment-112481294
and "curl -v -I https://owncloud.org/ https://www.owncloud.org/" as the test
cases:

RHEL 6.7: Does not work (returns 200/400)
RHEL 6.8: Works (returns 200/301)

Thus you are right, curl-7.19.7-52.el6 as shipped with RHEL 6.8 solves this
issue. I didn't verify RHEL 6.8 after I noticed that RHEL 7 is still affected.
So, let's close this one?
Comment 8 Hubert Kario 2016-05-20 08:22:03 EDT
As Kamil said in the RHEL-7 version of the bug, we don't yet have a reason to not fix it in NSS itself.

So I don't think it is necessary to close this bug just yet.
Comment 9 Robert Scheck 2016-05-20 08:30:54 EDT
Oh, yes, sorry. I got confused about NSS vs. curl. So yes, while the curl
issue is solved, the NSS one (this RHBZ) isn't yet. Makes sense to get this
fixed as well :)
Comment 18 errata-xmlrpc 2017-03-21 06:25:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0671.html

Note You need to log in before you can comment on or make changes to this bug.