Bug 525496 - Unable to open some https urls, NSS error -12226
Summary: Unable to open some https urls, NSS error -12226
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: 11
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-24 15:16 UTC by Jan ONDREJ
Modified: 2009-12-18 04:21 UTC (History)
1 user (show)

Fixed In Version: 7.19.7-2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-18 04:18:04 UTC


Attachments (Terms of Use)

Description Jan ONDREJ 2009-09-24 15:16:59 UTC
Description of problem:
Some pages cannot be opened with curl compiled with nss.
Same problem described here:
  http://curl.haxx.se/mail/curlphp-2008-10/0002.html

Version-Release number of selected component (if applicable):
curl-7.19.6-1.fc11.i586
curl-7.19.6-1.fc10.i386

How reproducible:
always

Steps to Reproduce:
1. curl -v https://www.orange.sk/
  
Actual results:
* About to connect() to www.orange.sk port 443 (#0)
*   Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12226
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Expected results:
no error, open url

Additional info:
Mail from above says, that recompilation with openssl works.

Comment 1 Kamil Dudka 2009-09-24 15:40:57 UTC
Thanks for your report!

> Description of problem:
> Some pages cannot be opened with curl compiled with nss.

It looks like a server problem to me.

> Same problem described here:
>   http://curl.haxx.se/mail/curlphp-2008-10/0002.html

It doesn't point to any libcurl neither NSS bug.

> Steps to Reproduce:
> 1. curl -v https://www.orange.sk/

You are asking for a secure connection (default).

> Actual results:
> * About to connect() to www.orange.sk port 443 (#0)
> *   Trying 213.151.200.57... connected
> * Connected to www.orange.sk (213.151.200.57) port 443 (#0)
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * NSS error -12226

"SSL peer rejected a handshake message for unacceptable content."

> Expected results:
> no error, open url

Which other clients have you tried to connect with?

> Additional info:
> Mail from above says, that recompilation with openssl works.  

It doesn't, at least for me:
$ curl --version
curl 7.19.6 (x86_64-redhat-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3 libidn/1.9 libssh2/1.2
Protocols: tftp ftp telnet dict ldap http file https ftps scp sftp
Features: IDN IPv6 Largefile NTLM SSL libz

$ curl -v https://www.orange.sk/
* About to connect() to www.orange.sk port 443 (#0)
*   Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
* Closing connection #0
curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

Should I improve the error message for you (to be similar to the OpenSSL one)?

Comment 2 Jan ONDREJ 2009-09-24 17:52:45 UTC
(In reply to comment #1)
> > Actual results:
> > * About to connect() to www.orange.sk port 443 (#0)
> > *   Trying 213.151.200.57... connected
> > * Connected to www.orange.sk (213.151.200.57) port 443 (#0)
> > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >   CApath: none
> > * NSS error -12226
> 
> "SSL peer rejected a handshake message for unacceptable content."
> 
> > Expected results:
> > no error, open url
> 
> Which other clients have you tried to connect with?

For example Firefox displays correct page.
Curious, that wget can't connect too.

> Should I improve the error message for you (to be similar to the OpenSSL one)?  

May be it would be useful for others too.

Comment 3 Kamil Dudka 2009-09-24 20:40:58 UTC
Then maybe bug in Firefox ... or just less requirements for security?

Firefox/xulrunner use NSS for SSL, too. So it should be possible to make libcurl behave equally in case we consider this behavior harmless. I need to test it with Firefox myself first and analyze what exactly differs.

Do you have some statistics how many websites are affected by the issue? Have you tried to contact the webmaster and ask some technical details about the server?

As for the error message improvement, I think it *is* useful. We are working on the NSS support with some hackers from libcurl upstream in our spare time. The NSS error message reporting is one of the things we want to make better in near future. Feel free to come with another ideas how to improve the NSS support.

Comment 4 Jan ONDREJ 2009-09-29 08:23:45 UTC
(In reply to comment #3)
> Do you have some statistics how many websites are affected by the issue?

No. I know about 2 servers only. www.orange.sk and server reported in curl mailinglist.
Curious, that www.orangeporta.sk says, that certificate cannot be authenticated, but www.orange.sk (same organization) raises an error.

> Have
> you tried to contact the webmaster and ask some technical details about the
> server?

No, I don't know, who is proper contact for so large organization as Orange is.

Comment 5 Kamil Dudka 2009-09-29 11:35:12 UTC
The whois utility knows:

$ whois orange.sk | grep @
Admin-email         hostmaster@orangemail.sk
Tech-email          hostmaster@orangemail.sk

I think the webmaster might be interested in fixing the issue as it does not seem to be Fedora (nor Linux) specific. I haven't had time to investigate it further. Leave here a note if you have some new info.

As for the NSS error messages, the bug 526121 seems to be related. You can vote for it ;-)

Comment 6 Kamil Dudka 2009-10-07 19:10:50 UTC
While investigating bug 527771 I realized what's different among curl and FF. Could you please try it with the option --sslv3? Thanks in advance!

Comment 7 Kamil Dudka 2009-10-07 20:14:01 UTC
A scratch build is ready for testing:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961

It should work with or without the --sslv3 option. Please test it ASAP so that I can request freeze override for F-12.

Comment 8 Jan ONDREJ 2009-10-08 10:01:18 UTC
(In reply to comment #6)
> While investigating bug 527771 I realized what's different among curl and FF.
> Could you please try it with the option --sslv3? Thanks in advance!  

With -3 or --sslv3 I can open my problematic page.

(In reply to comment #7)
> A scratch build is ready for testing:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961
> 
> It should work with or without the --sslv3 option. Please test it ASAP so that

Yes, this works also with or without --sslv3. Nice work. Thank you.

> I can request freeze override for F-12.  

I think it's enough to put this to F-12 updates.

Comment 9 Kamil Dudka 2009-10-08 10:23:57 UTC
Thanks for testing it! Unfortunately there are still some open question about the patch which prevent it from getting into dist-f12. You can follow the thread at upstream mailing list:

http://curl.haxx.se/mail/lib-2009-10/0080.html

Comment 10 Kamil Dudka 2009-10-14 19:07:05 UTC
patch ready for review:

http://permalink.gmane.org/gmane.comp.web.curl.library/25440

Comment 11 Kamil Dudka 2009-11-04 23:20:50 UTC
a new version of the patch:

http://permalink.gmane.org/gmane.comp.web.curl.library/25687

Comment 12 Kamil Dudka 2009-11-05 22:21:30 UTC
fixed in curl-7.19.7-2.fc13 for now

As a long-term solution Kaspar Brand has raised the issue at mozilla.org:

https://bugzilla.mozilla.org/show_bug.cgi?id=526806

Comment 13 Fedora Update System 2009-11-26 19:33:14 UTC
curl-7.19.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/curl-7.19.7-3.fc11

Comment 14 Fedora Update System 2009-11-26 19:33:27 UTC
curl-7.19.7-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/curl-7.19.7-2.fc12

Comment 15 Fedora Update System 2009-11-27 21:44:07 UTC
curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235

Comment 16 Fedora Update System 2009-11-27 21:49:00 UTC
curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245

Comment 17 Fedora Update System 2009-12-01 04:21:08 UTC
curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245

Comment 18 Fedora Update System 2009-12-01 04:36:26 UTC
curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235

Comment 19 Fedora Update System 2009-12-18 04:17:44 UTC
curl-7.19.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2009-12-18 04:20:57 UTC
curl-7.19.7-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.