1286973 – curl 7.19.7 doesn't properly handle TLS traffic

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1286973 - curl 7.19.7 doesn't properly handle TLS traffic

Summary: curl 7.19.7 doesn't properly handle TLS traffic

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	curl
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Kamil Dudka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-01 09:28 UTC by Geoff
Modified:	2023-09-14 03:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-22 12:25:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	895339	1	None	None	None	2021-01-20 06:05:38 UTC

Internal Links: 895339

Description Geoff 2015-12-01 09:28:48 UTC

Description of problem:

curl 7.19.7 doesn't properly handle TLS traffic when using flags like --ftp-ssl to connect to FTP servers securely.  


Version-Release number of selected component (if applicable):

7.19.7

How reproducible:

This was reproducible 100% of the time when tested.  

Steps to Reproduce:
1. Use curl to connect to FTP using --ftp-ssl or --ftp-ssl-reqd 

Actual results:

[~]# curl -v  -k --ftp-ssl-reqd ftp://cpgeoff0.info -u cpgeoff:******
* About to connect() to cpgeoff0.info port 21 (#0)
*   Trying 10.1.7.117... connected
* Connected to cpgeoff0.info (10.1.7.117) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 23:15. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
> USER cpgeoff
< 331 User cpgeoff OK. Password required
> PASS *****
< 230 OK. Current restricted directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Extended Passive mode OK (|||60642|)
*   Trying 10.1.7.117... No route to host
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
> PASV
< 227 Entering Passive Mode (10,1,7,117,154,58)
*   Trying 10.1.7.117... connected
* Connecting to 10.1.7.117 (10.1.7.117) port 39482
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Doing the SSL/TLS handshake on the data stream
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
* Maxdownload = -1
* Remembering we are in dir ""
* FTP response reading failed
* Connection #0 to host cpgeoff0.info left intact
curl: (56) FTP response reading failed
> QUIT
* FTP response reading failed
* Closing connection #0

An ssldump being run on the actual FTP server shows this:

# ssldump -i eth0 -aAdH port 21
New TCP connection #1: 10.1.7.135(57302) <-> ge.off.rey(21)
0.0074 (0.0074)  S>C
---------------------------------------------------------------
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 23:15. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
---------------------------------------------------------------

0.0079 (0.0005)  C>S
---------------------------------------------------------------
AUTH SSL
---------------------------------------------------------------

0.0082 (0.0002)  S>C
---------------------------------------------------------------
500 This security scheme is not implemented
---------------------------------------------------------------

0.0084 (0.0002)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0085 (0.0000)  S>C
---------------------------------------------------------------
234 AUTH TLS OK.
---------------------------------------------------------------

1 1  0.0862 (0.0776)  C>S V3.1(94)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          62 00 3d 70 ad 81 a8 3a a9 04 45 11 de b0 e8 8a
          d4 2d 3a f4 da 99 cb 2e f1 61 da 9e 10 ce 99 19
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.0896 (0.0034)  S>C V3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          56 56 95 8d 76 fc 9c 4c 63 a2 ad 23 b6 a9 c8 bd
          ba 18 1d 76 e4 88 6f 3e b5 88 9c ed 97 ee 12 6d
        session_id[32]=
          dd f0 ab b3 d4 49 f8 3e eb 35 44 16 09 16 9f 9b
          f9 13 1a c1 58 a6 29 57 78 c9 df 6c 29 1b e4 21
        cipherSuite         TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        compressionMethod                   NULL
1 3  0.0896 (0.0000)  S>C V3.1(833)  Handshake
      Certificate
1 4  0.0897 (0.0000)  S>C V3.1(781)  Handshake
      ServerKeyExchange
        params
          DH_p[256]=
            ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
            c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
            02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
            ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
            4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
            f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
            ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
            49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
            98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
            83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
            9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
            f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
            e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
            b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
            39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
            15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
          DH_g[1]=
            02
          DH_Ys[256]=
            e3 1a 43 42 f4 be 59 17 c5 9a 66 98 79 ee 92 96
            3e 26 b0 a3 b5 1c 35 54 8d 01 00 c3 be 52 c7 40
            a3 bc b2 cd 89 02 da 7e 06 1b 90 bb 21 32 4b 59
            21 ad 8b aa f0 28 25 6a da 9c a7 2a 98 fc 49 a3
            0e f4 05 27 47 21 c7 04 ec 24 03 72 dd d6 26 a7
            b0 ba 70 9e 71 3d 41 7b 71 d3 5e 98 d9 47 c9 14
            1c c9 3b 48 2f 96 b1 ff 9e c5 c3 b7 70 b1 8c 25
            88 57 d3 64 ba 3a 4f 7b 1f 96 cc ca b0 4b ad b6
            26 c2 a6 50 0f ce 70 30 d7 2c ef 68 fa 22 89 81
            1b b8 20 71 bb 6c 50 a6 a2 8f 40 b9 d3 86 82 ea
            12 a3 4e db 7e 8f 95 8a f5 0f 3c e5 ea b3 78 2c
            b4 bb de e1 51 f5 b9 03 cc df be f4 9f 49 75 9f
            6b eb e4 37 f7 78 21 a8 5e e7 d4 67 08 9e 68 eb
            ec 69 22 5e eb 32 e7 6a 72 67 cc 43 5f dc f7 73
            16 ff 91 a0 de ca c9 08 86 8c cc b0 49 3f 8e 37
            7f 1b 64 ed 52 5d 48 4b 0e e5 b2 e4 b1 c9 92 c2
        signature[256]=
          2e d6 8b ca 9b b7 4a 53 cf 68 87 50 f5 5a 1a 09
          e9 93 57 51 dc d7 a0 e9 93 26 f3 d0 b9 0d fe 2a
          10 9b 27 77 15 aa eb b1 14 84 37 bc 0b e8 4c 54
          6d 93 1e b5 f2 37 66 85 4d e4 e5 b4 47 3e a9 b8
          bd 49 31 b6 77 99 17 af 9e bb 92 2f a1 d9 11 64
          42 15 50 90 b3 00 0f 18 04 34 5a 35 49 fd 55 53
          2b 95 ca a0 15 e0 d0 6c 6c f7 b4 3e ae e7 8b 5b
          3b 79 7e c9 fd 0c 45 d2 d4 0f 83 48 0a 03 ba 6c
          db c4 a3 a0 69 30 97 f4 98 c4 f6 83 2e 8c 55 cb
          88 69 92 03 19 0a 69 af 88 20 d7 12 ec 6e 7f 60
          62 19 30 a7 fd 36 5f fa 57 59 2c 97 ea b1 58 6c
          b0 2b 8f 4a 99 b6 67 cc 6f e9 32 c3 c6 03 a7 60
          1a 51 c4 c6 97 38 f7 4b 6a f0 62 9b 94 32 57 aa
          26 5c bd 91 17 4f 45 c5 fd 50 db a3 73 0b d8 bf
          82 92 8b 86 2b 9b ba 1f c6 0f 2b 73 d2 39 59 8c
          79 12 2d c5 50 5d cc cb 71 0b 35 a3 05 0f fc 8f
1 5  0.0897 (0.0000)  S>C V3.1(4)  Handshake
      ServerHelloDone
1 6  0.0938 (0.0040)  C>S V3.1(262)  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[256]=
          db ef ba 3d 9d a1 51 de 38 d8 49 a4 2d 69 49 84
          ae a4 01 f7 f4 f3 da d7 86 e9 5e 70 3c 0a b0 04
          87 33 2b 37 ee 71 53 09 3f 31 74 54 37 86 40 b2
          17 18 03 1a c6 a6 46 eb cd 2b 7b 4b 15 c9 8d 84
          44 34 37 4f ab ef ed 49 8e 76 2c 17 1a 2a 1e 31
          15 38 15 79 b6 de 87 49 1e c7 2e 0f 83 ae 9f 77
          f4 fe 86 f5 d0 78 1b be 0c 31 89 e7 cd 1a 8b b1
          b1 53 36 97 61 30 26 8a 74 f8 b2 1e 89 45 1f 03
          18 22 9c 32 2a c2 18 79 e6 6d b1 0c ac 2d 91 a6
          66 b1 db 00 7f 39 9b c4 47 5c 7f 0e 59 a1 b5 46
          b5 be a5 8a c2 75 8c f4 37 96 1a 57 20 dc 82 d6
          34 0c 3f 71 70 ce 28 7b 70 2a 7f fb 0d 03 6f 51
          9a f9 9a a9 56 15 5d ee 30 b3 39 7d a8 70 fe 69
          f1 d1 56 89 90 1d 59 5e 0e 82 f4 1b 9b 19 b8 51
          3c 48 dc bb a6 9c 42 ab 38 a4 7c 4a af 69 a6 44
          e9 e2 48 be 7e dc a1 e6 d7 ae b3 88 c6 66 8f 2e
1 7  0.0938 (0.0000)  C>S V3.1(1)  ChangeCipherSpec
1 8  0.0938 (0.0000)  C>S V3.1(48)  Handshake
1 9  0.0999 (0.0060)  S>C V3.1(1)  ChangeCipherSpec
1 10 0.0999 (0.0000)  S>C V3.1(48)  Handshake
1 11 0.1004 (0.0005)  C>S V3.1(64)  application_data
1 12 0.1005 (0.0001)  S>C V3.1(32)  application_data
1 13 0.1005 (0.0000)  S>C V3.1(80)  application_data
1 14 0.1008 (0.0002)  C>S V3.1(48)  application_data
1 15 0.2231 (0.1222)  S>C V3.1(32)  application_data
1 16 0.2231 (0.0000)  S>C V3.1(64)  application_data
1 17 0.2238 (0.0007)  C>S V3.1(32)  application_data
1 18 0.2240 (0.0001)  S>C V3.1(32)  application_data
1 19 0.2240 (0.0000)  S>C V3.1(48)  application_data
1 20 0.2245 (0.0004)  C>S V3.1(32)  application_data
1 21 0.2246 (0.0000)  S>C V3.1(32)  application_data
1 22 0.2246 (0.0000)  S>C V3.1(80)  application_data
1 23 0.2251 (0.0004)  C>S V3.1(32)  application_data
1 24 0.2252 (0.0000)  S>C V3.1(32)  application_data
1 25 0.2252 (0.0000)  S>C V3.1(64)  application_data
1 26 0.2263 (0.0011)  C>S V3.1(32)  application_data
1 27 0.2265 (0.0001)  S>C V3.1(32)  application_data
1 28 0.2265 (0.0000)  S>C V3.1(64)  application_data
1 29 0.2276 (0.0010)  C>S V3.1(32)  application_data
1 30 0.2277 (0.0001)  S>C V3.1(32)  application_data
1 31 0.2277 (0.0000)  S>C V3.1(80)  application_data
1 32 0.2300 (0.0022)  C>S V3.1(32)  application_data
1 33 0.2301 (0.0001)  S>C V3.1(32)  application_data
1 34 0.2301 (0.0000)  S>C V3.1(48)  application_data
1 35 0.2313 (0.0011)  C>S V3.1(32)  application_data
1 36 0.2314 (0.0001)  S>C V3.1(32)  application_data
1 37 0.2314 (0.0000)  S>C V3.1(64)  application_data
1    0.2491 (0.0176)  S>C  TCP FIN
1 38 0.2500 (0.0008)  C>S V3.1(32)  application_data

Expected results:

[~]# curl -v  -k --ftp-ssl-reqd ftp://cpgeoff0.info -u cpgeoff:******
* About to connect() to cpgeoff0.info port 21 (#0)
*   Trying 10.1.7.117... connected
* Connected to cpgeoff0.info (10.1.7.117) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 23:19. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
> USER cpgeoff
< 331 User cpgeoff OK. Password required
> PASS ******
< 230 OK. Current restricted directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Extended Passive mode OK (|||30223|)
*   Trying 10.1.7.117... connected
* Connecting to 10.1.7.117 (10.1.7.117) port 30223
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Doing the SSL/TLS handshake on the data stream
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: E=ssl.rey,CN=ge.off.rey
* 	start date: Oct 22 06:53:10 2015 GMT
* 	expire date: Oct 21 06:53:10 2016 GMT
* 	common name: ge.off.rey
* 	issuer: E=ssl.rey,CN=ge.off.rey
* Maxdownload = -1
drwxr-xr-x    2 cpgeoff0   cpgeoff0         4096 Nov 25 22:12 .
drwxr-xr-x    2 cpgeoff0   cpgeoff0         4096 Nov 25 22:12 ..
-rw-------    1 cpgeoff0   cpgeoff0            4 Nov 25 22:12 .ftpquota
* Remembering we are in dir ""
< 226-Options: -a -l
< 226 3 matches total
* Connection #0 to host cpgeoff0.info left intact
> QUIT
< 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
< 221 Logout.
* Closing connection #0

ssldump from working test

 [~]# ssldump -i eth0 -aAdH port 21
New TCP connection #1: 10.1.7.135(57395) <-> ge.off.rey(21)
0.0109 (0.0109)  S>C
---------------------------------------------------------------
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 23:19. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
---------------------------------------------------------------

0.0114 (0.0004)  C>S
---------------------------------------------------------------
AUTH SSL
---------------------------------------------------------------

0.0115 (0.0001)  S>C
---------------------------------------------------------------
500 This security scheme is not implemented
---------------------------------------------------------------

0.0118 (0.0002)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0123 (0.0005)  S>C
---------------------------------------------------------------
234 AUTH TLS OK.
---------------------------------------------------------------

1 1  0.0853 (0.0730)  C>S V3.1(94)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          88 2c ca 8c b3 9b 4f 69 3c 7d b9 b3 70 e8 d1 c1
          48 67 01 36 9e e8 94 a8 e4 5a 0b f4 90 d5 81 3b
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.0892 (0.0038)  S>C V3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          56 56 96 7f 2c db f0 aa 22 6b 43 6b 2e f1 42 04
          b7 ae 11 05 e4 6a 2f cd 55 27 77 3d ce 58 00 41
        session_id[32]=
          c1 f3 5f d0 c6 4b 66 d7 b9 a5 d2 cc 08 0a 22 e2
          d1 21 bb e3 97 28 0d 2f 54 b2 60 ce 25 ab 54 54
        cipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
1 3  0.0892 (0.0000)  S>C V3.1(833)  Handshake
      Certificate
1 4  0.0893 (0.0001)  S>C V3.1(525)  Handshake
      ServerKeyExchange
        params
          DH_p[128]=
            f4 88 fd 58 4e 49 db cd 20 b4 9d e4 91 07 36 6b
            33 6c 38 0d 45 1d 0f 7c 88 b3 1c 7c 5b 2d 8e f6
            f3 c9 23 c0 43 f0 a5 5b 18 8d 8e bb 55 8c b8 5d
            38 d3 34 fd 7c 17 57 43 a3 1d 18 6c de 33 21 2c
            b5 2a ff 3c e1 b1 29 40 18 11 8d 7c 84 a7 0a 72
            d6 86 c4 03 19 c8 07 29 7a ca 95 0c d9 96 9f ab
            d0 0a 50 9b 02 46 d3 08 3d 66 a4 5d 41 9f 9c 7c
            bd 89 4b 22 19 26 ba ab a2 5e c3 55 e9 2f 78 c7
          DH_g[1]=
            02
          DH_Ys[128]=
            02 41 a8 04 25 04 2f bd 17 2e fe 47 fa db 0a 1e
            76 c8 50 83 29 0f a2 8f de 8d a3 0b ea 55 65 c0
            4d ae 5b 08 d3 a0 67 1b c5 60 f8 64 8d d8 9e 7e
            e4 c3 45 88 92 25 cc e7 ad bc f2 3c f0 64 ab 3d
            23 45 ee cf 5c 27 c5 3d 3b 58 21 34 87 ce a3 92
            f4 ac 98 f9 2d 25 3b 26 c4 76 06 62 64 ae b0 41
            42 29 de 14 ce 97 1f a5 86 80 0d 9a 32 48 b8 3a
            8a e4 c8 c2 73 08 4d a6 94 2d 11 1c f6 c4 c4 23
        signature[256]=
          0d 14 b2 11 5f dc c0 ef 31 40 db 82 41 f1 8f 85
          b3 6e 92 19 4d 3f 47 3e 27 0c fa 96 40 c3 fc c2
          10 fa 5e 70 d3 5c 15 99 fe 30 fa 62 5a 26 ff 29
          e4 da b0 2d 6f 50 91 37 d8 8f a3 7c 96 15 2c e9
          1a 4f 1a 68 da 29 d7 1c 57 cd f1 29 b8 29 08 4d
          d1 94 0e d3 d0 68 77 5b 3a 0c 81 66 dd 52 b2 0b
          27 dd 66 e9 6c 40 0c 81 7c 8e 3e 9a 87 bf 4d 92
          af 57 f0 3b 78 91 16 7c d5 de d7 cc 12 04 05 7b
          56 2e 4e 65 92 1f 33 ec 08 2f d2 9c 0d 14 96 bf
          f8 82 97 34 a9 bb b0 9c 04 2c e2 9d 93 a5 9c bc
          4b c7 b2 f8 7b e2 f6 44 bd 66 a3 70 76 ba cb 3a
          a0 57 c1 ad fd 51 b9 45 db a1 46 68 c5 d6 c8 0d
          bb 48 b7 01 24 0f fb ba 07 e8 c3 99 3b 9a 8b 02
          3c 00 e3 92 3f 7c cc 8f 1e 1d 30 8d 70 c4 99 9d
          e6 f1 75 75 00 7c 82 ee 01 00 f3 4b 81 d0 a8 49
          d7 be 01 61 4f 29 7a ad 15 08 2d 09 27 9d 65 23
1 5  0.0893 (0.0000)  S>C V3.1(4)  Handshake
      ServerHelloDone
1 6  0.0920 (0.0027)  C>S V3.1(134)  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[128]=
          52 ac 5b 6c 09 8a 5b 96 ca 6a a2 5d 7a 17 09 aa
          a9 9b 8e 06 22 44 31 47 ee 59 6f 0c 80 e1 a9 f0
          2b 93 d7 cf d5 95 46 5d 6f e7 df a8 fd 7f 94 1d
          81 75 10 8c 53 8b b9 0a 39 34 be ba df 16 61 9a
          4a 96 69 90 69 7b 5e 41 bb 91 b5 d9 57 55 b5 c7
          53 24 01 c8 6e 7c 5d de a2 fb 0b 95 e6 f7 33 3c
          06 d1 ea 5c 4e 6c 5a 9c e6 a7 06 ac 57 9b b6 4e
          e8 1b 81 d5 8d d7 e4 43 3e 01 84 42 92 b5 72 ba
1 7  0.0920 (0.0000)  C>S V3.1(1)  ChangeCipherSpec
1 8  0.0920 (0.0000)  C>S V3.1(48)  Handshake
1 9  0.0935 (0.0015)  S>C V3.1(1)  ChangeCipherSpec
1 10 0.0935 (0.0000)  S>C V3.1(48)  Handshake
1 11 0.0940 (0.0004)  C>S V3.1(64)  application_data
1 12 0.0941 (0.0001)  S>C V3.1(80)  application_data
1 13 0.0944 (0.0002)  C>S V3.1(48)  application_data
1 14 0.2360 (0.1416)  S>C V3.1(64)  application_data
1 15 0.2366 (0.0005)  C>S V3.1(32)  application_data
1 16 0.2368 (0.0002)  S>C V3.1(48)  application_data
1 17 0.2373 (0.0004)  C>S V3.1(32)  application_data
1 18 0.2374 (0.0001)  S>C V3.1(80)  application_data
1 19 0.2379 (0.0004)  C>S V3.1(32)  application_data
1 20 0.2379 (0.0000)  S>C V3.1(64)  application_data
1 21 0.2384 (0.0004)  C>S V3.1(32)  application_data
1 22 0.2390 (0.0005)  S>C V3.1(64)  application_data
1 23 0.2408 (0.0018)  C>S V3.1(32)  application_data
1 24 0.2410 (0.0001)  S>C V3.1(48)  application_data
1 25 0.2412 (0.0002)  C>S V3.1(32)  application_data
1 26 0.2413 (0.0001)  S>C V3.1(64)  application_data
1 27 0.2507 (0.0093)  S>C V3.1(48)  application_data
1 28 0.2509 (0.0001)  S>C V3.1(48)  application_data
1 29 0.2520 (0.0011)  C>S V3.1(32)  application_data
1 30 0.2521 (0.0001)  S>C V3.1(80)  application_data
1 31 0.2521 (0.0000)  S>C V3.1(48)  application_data
1 32 0.2528 (0.0006)  C>S V3.1(32)  Alert
1    0.2529 (0.0000)  C>S  TCP FIN
1    0.2530 (0.0000)  S>C  TCP RST

Additional info:

N/A

Comment 2 Kamil Dudka 2015-12-01 11:25:24 UTC

I tried curl-7.19.7-46.el6 and it communicated just fine over TLS with a vsftpd server running on localhost.  Please provide the exact NVRs of curl and nss packages:

$ rpm -aq {,lib}curl\* nss\* | sort -V

Comment 3 Geoff 2015-12-01 11:31:13 UTC

[/]# rpm -aq {,lib}curl\* nss\* | sort -V
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
nss-3.19.1-5.el6_7.x86_64
nss-softokn-3.14.3-23.el6_7.x86_64
nss-softokn-freebl-3.14.3-23.el6_7.x86_64
nss-sysinit-3.19.1-5.el6_7.x86_64
nss-tools-3.19.1-5.el6_7.x86_64
nss-util-3.19.1-2.el6_7.x86_64

Sorry, I meant to actually add this information when I initially submitted the case.

Comment 4 Kamil Dudka 2015-12-01 11:49:38 UTC

I updated to the above listed versions of packages and curl still works just fine.  Please provide a self-contained reproducer, either against a publicly available server, or a locally installable server.

Comment 5 Kamil Dudka 2015-12-22 12:25:12 UTC

Closing until the info required in comment #4 is provided.

Comment 6 Red Hat Bugzilla 2023-09-14 03:14:03 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.