Description of problem: I cannot submit a bug to bugzilla. ABRT says: --- Running report_Bugzilla --- Logging into Bugzilla at https://bugzilla.redhat.com fatal: XML-RPC(-504): libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error (exited with 1) Version-Release number of selected component (if applicable): abrt-2.0.7-4.fc17.x86_64 libcurl-7.24.0-1.fc17.x86_64 How reproducible: 100% (I tried 3 times, same error each time) Steps to Reproduce: 1. Try to submit an ABRT bug to bugzilla. 2. 3.
Very likely a nss or curl problem: using 'xmlrpc' from http://koji.fedoraproject.org/koji/buildinfo?buildID=322409 gives with nss-3.13.4-3.fc17.x86_64, curl-7.24.0-2.fc17.x86_64: ---- $ XMLRPC_TRACE_CURL=1 xmlrpc https://bugzilla.redhat.com/ x * About to connect() to proxy www-cache port 3128 (#0) * Trying 192.168.8.193... * Connected to www-cache (192.168.8.193) port 3128 (#0) * Connected to www-cache (192.168.8.193) port 3128 (#0) * Establish HTTP proxy tunnel to bugzilla.redhat.com:443 > CONNECT bugzilla.redhat.com:443 HTTP/1.1 Host: bugzilla.redhat.com:443 Proxy-Connection: Keep-Alive Content-Type: text/xml User-Agent: Xmlrpc-c/1.29.3 Curl/7.24.0 < HTTP/1.0 200 Connection established < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=bugzilla.redhat.com,OU=Information Technology,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=bcTlha1YkNcz9-M0vAzRilv01xaCkiRQ * start date: Jan 31 18:26:47 2011 GMT * expire date: Mar 04 23:43:36 2013 GMT * common name: bugzilla.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12250 (SSL_ERROR_RX_MALFORMED_ALERT) * Closing connection #0 --- The second CAfile/CApath line (which does not appear in plain curl -v https://bugzilla.redhat.com/ ) indicates that there happens some TLS renegotiation or so. Same xmlrpc-c on a RHEL6.2 machine (nss-3.13.1-7.el6_2.i686, curl-7.19.7-26.el6_1.2.x86_64): --- * Proxy replied OK to CONNECT request * Initializing NSS with certpath: /etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=bugzilla.redhat.com,OU=Information Technology,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=bcTlha1YkNcz9-M0vAzRilv01xaCkiRQ * start date: Jan 31 18:26:47 2011 GMT * expire date: Mar 04 23:43:36 2013 GMT * common name: bugzilla.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * Connected to www-cache (192.168.8.193) port 3128 (#0) > POST / HTTP/1.1 Host: bugzilla.redhat.com Accept: */* Content-Type: text/xml User-Agent: Xmlrpc-c/1.29.3 Curl/7.19.7 ---
Reassigning to curl because this seems to happen only, when communication goes through a proxy: | $ https_proxy= MALLOC_PERTURB_= XMLRPC_TRACE_CURL=1 ./xmlrpc https://www.google.com x | | * About to connect() to www.google.com port 443 (#0) | * Trying 173.194.69.103... | ... | * issuer: CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA | > POST / HTTP/1.1 | Host: www.google.com | $ https_proxy=http://www-cache:3128 MALLOC_PERTURB_= XMLRPC_TRACE_CURL=1 ./xmlrpc https://www.google.com x | * About to connect() to proxy www-cache port 3128 (#0) | * Trying 192.168.8.193... | ... | * issuer: CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA | * NSS error -12250 (SSL_ERROR_RX_MALFORMED_ALERT)
minimal example: ---- #include <curl/curl.h> int main(int argc, char *argv[]) { CURL *e = curl_easy_init(); CURLM *m = curl_multi_init(); int r; curl_easy_setopt(e, CURLOPT_URL, argv[1]); curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); curl_multi_add_handle(m, e); do { curl_multi_perform(m, &r); } while (r > 0); return r; } ----
Thanks for the reproducer! It looks like curl tries to initiate a SSL handshake on a socket with an already established SSL connection. git-bisect points to the following commit: https://github.com/bagder/curl/commit/3c18b38
I have pushed a fix upstream: https://github.com/bagder/curl/commit/68857e4
fixed in curl-7.26.0-3.fc18
sorry, I meant curl-7.26.0-4.fc18
curl-7.24.0-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/curl-7.24.0-4.fc17
Package curl-7.24.0-4.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.24.0-4.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9214/curl-7.24.0-4.fc17 then log in and leave karma (feedback).
curl-7.24.0-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.