RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method
Summary: Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: curl
Version: 8.7
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Daniel Rusek
URL:
Whiteboard:
Depends On:
Blocks: 2144493
TreeView+ depends on / blocked
 
Reported: 2022-11-02 08:42 UTC by Renaud Métrich
Modified: 2025-01-13 23:20 UTC (History)
4 users (show)

Fixed In Version: curl-7.61.1-27.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2144493 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:03:39 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-138051 0 None None None 2022-11-02 08:50:51 UTC
Red Hat Product Errata RHSA-2023:2963 0 None None None 2023-05-16 09:04:04 UTC

Description Renaud Métrich 2022-11-02 08:42:04 UTC 
Description of problem:

In case NTLM doesn't support HTTP2.0, *curl* should automatically fall back to HTTP1.1.
This magic is performed through implementation of the following commit:

https://github.com/curl/curl/commit/cbea2fd2c74feabeb6f13b3e3df243b225b3b3ab:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
NTLM: force the connection to HTTP/1.1
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes #3341.
Closes #3345
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Unfortunately backporting this commit to RHEL8's curl didn't show any effect.
Since then, I could see a high number of commits related to this area, so it's likely I missed some of them.
Also I don't have the environment to test myself.

I think having this functionality would greatly enhance the user experience, avoiding the need to force using `--http1.1` option to curl.

Version-Release number of selected component (if applicable):

curl-7.61.1-25

How reproducible:

Always on customer system

Steps to Reproduce:
1. Perform a NTML negociation

$ /usr/bin/curl --negotiate -u : https://SERVER > /dev/null
...
curl: (92) HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)

Actual results:


Expected results:

Automatic fallback to HTTP1.1
Comment 18 errata-xmlrpc 2023-05-16 09:03:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: curl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2963
Comment 19 Daniel Dallos 2025-01-13 23:08:17 UTC 
I'm reopening this bug report because the customer is still seeing the issue:

--------------------------------------------
I've retested using:
# rpm -q curl libcurl
curl-7.61.1-34.el8_10.2.x86_64
libcurl-7.61.1-34.el8_10.2.x86_64

and the issue with POST reported on 2023.01.25 is still present. When executing this command:
$ /bin/curl -H'Content-type: text/plain' --negotiate -u : --data-binary "@/tmp/hostcert-RztIkM5UoQ/host.csr" --output /tmp/hostcert-RztIkM5UoQ/host.p7b --trace /var/tmp/curl.trace -s -S -w "%{http_code}" https://$SIGNING_SERVICE
the trace file still ends with this without sending an HTTP/1.1 request:

== Info: HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)
== Info: Forcing HTTP/1.1 for NTLM== Info: stopped the pause stream!
== Info: Connection #0 to host <elided> left intact
Comment 20 Daniel Dallos 2025-01-13 23:20:15 UTC 
Continuing in:

https://issues.redhat.com/browse/RHEL-73788
Note You need to log in before you can comment on or make changes to this bug.