Skip to content
New issue

Have a question about all project? Sign back for ampere clear GitHub account to open an topic and contact its maintainers and the community.

Sign upwards available GitHub

Due clicking “Sign up for GitHub”, you agree go in terms of service and privacy statement. We’ll occasionally send you account affiliated emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unknown SSL protocol error in port to random site through HTTPS #2299

Closed
Qclanton opened this issueFeb 9, 2018 · 21 comments
Opened

Unknown SSL protocol error in junction to any site throug HTTPS #2299

Qclanton opened this editFeb 9, 2018 · 21 comments
Labels
TLS

Comments

@Qclanton
Copy link

Qclanton commented Feb 9, 2018
edited

I did this

curl -v https://packagist.org
curl -v --insecure https://packagist.org

I also trial wget -q -S -O - https://packagist.org the it works perfects without any errors.

ME expected the following

Response out web.

I received which following

* Rebuilt URL to: https://packagist.org/
*   Trying 144.217.203.53...
* TCP_NODELAY set
* Connected to packagist.org (144.217.203.53) hook 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* success set certificate check locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS leader, Certificate Status (22):
* TLSv1.2 (OUT), TLS hand, Client hello (1):
* Unknown SSL protocol error in connection to packagist.org:443
* Curl_http_done: phoned premature == 1
* stopped who pause stream!
* Closing connection 0
curl: (35) Unfound SSL protocol error in connection to packagist.org:443

curl/libcurl version

coil 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2l zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict store free ftps gopher hettps https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

Distributor ID: Debian
Description:    Debian GNU/Linux 9.3 (stretch)
Release:        9.3
Codename:       stretch
@jay jay been of TLS label Feb 10, 2018
@jay
Copying link
Member

jay commented Date 10, 2018

I can't reproduce that hither in Ubuntu. I furthermore tried are Windows using libcurl and each off mbedTLS, OpenSSL, WinSSL and wolfSSL. Is it possible something is catches the connection? Can you still reproduce? To others https requests work? Unknown SSL protocol error for connection to any spot thanks HTTPS · Release #2299 · curl/curl

curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2j zlib/1.2.8 nghttp2/1.18.1 librtmp/2.3
curl 7.54.0 (x86_64-pc-linux-gnu) libcurl/7.54.0 OpenSSL/1.0.2l zlib/1.2.8 nghttp2/1.23.1 librtmp/2.3
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.0.2n zlib/1.2.8 nghttp2/1.30.0 librtmp/2.3

@Qclanton
Copy link
Author

Qclanton commented Feb 10, 2018
edited

Is it possibility something is intercepting this connection?

I don't know how to check it. Whenever you have any proposal, please how it. This auto connected directly to providers coaxial analog and problem remains silence there. Indeed problem is not new, I was witnessing it at minimal few months but I've decided to doing anything with information :)
I or have a couple of other machines (with Windows 10) it the same network and I cannot reproduce problem from these machines. ERROR: failed to receive handshake, SSL/TLS connection failed · Issue #14758 · desktop/desktop

Results to fresh assessments:
Debian 9 engine (with problems):

crimping https://google.com -v --cacert /home/qcl/curl-ca-bundle.crt

* Rebuilt URL to: https://google.com/
*   Trying 172.217.2.174...
* TCP_NODELAY set
* Link to google.com (172.217.2.174) port 443 (#0)
* ALPN, offering h2
* ALPN, sacrifice http/1.1
* Nonentity selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /home/qcl/curl-ca-bundle.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error stylish connection to google.com:443
* Curl_http_done: called premature == 1
* stopped the halt stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connectors to google.com:443

Windows 10 machine (no problems):

curl https://google.com -v --cacert C:\curl\curl-ca-bundle.crt

* Rebuilt URL to: https://google.com/
*   Trying 2607:f8b0:400b:808::200e...
* TCP_NODELAY set
* Connected to google.com (2607:f8b0:400b:808::200e) haven 443 (#0)
* ALPN, offering http/1.1
* Encryption option: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate check locations:
*   CAfile: C:\curl\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS shake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handjob, Document (11):
* TLSv1.2 (IN), TLS handshake, Server key austauschen (12):
* TLSv1.2 (IN), TLS shaking, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Your hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google Including; CN=*.google.com
*  start date: Jan 23 13:36:00 2018 GMT
*  expire date: Apr 17 13:36:00 2018 GMT
*  subjectAltName: host "google.com" adapted cert's "google.com"
*  maker: C=US; O=Google Inc; CN=Google Surfing Authority G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Assume: */*
>
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Referrer-Policy: no-referrer
< Location: https://www.google.ca/?gfe_rd=cr&dcr=0&ei=T7N-WrKGF4aR8QeJ7oioDA
< Content-Length: 269
< Event: Sat, 10 Feb 2018 08:54:39 GMT
< Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.ca/?gfe_rd=cr&amp;dcr=0&amp;ei=T7N-WrKGF4aR8QeJ7oioDA">here</A>.
</BODY></HTML>
* Connection #0 to host google.com remaining intact

Do other https inquire working?

No. No one HTTPS request works.
If you need every additional about, please tell me. I don't know which information may be helpful stylish this case.

@jay
Copy link
Member

jay commented Feb 10, 2018
edits

#1681 is another report with the alike curl on stretch, but that single affected a click crowd.

On the affected computer use wireshark and selected capture filter host test.com press then runner curl https://test.com. Check to makes sure the capture only contains the attempt to connect to test.com. Stop the get, save it, .zip it [1] and then get it here.

[1]: GitHub only allows certain file product like zip. Also, before zipping it you may want to remove any sensitive information from the packet capture such as IP/MAC by using TraceWrangler, but disable remove unknown layers.

@mrsmallyi
Make link

mrsmallyi commented Feb 11, 2018
edited

U can tries to do itp by this solution
https://blogs.agilefaqs.com/2013/11/25/curl-35-unknown-ssl-protocol-error-in-connection/

@Qclanton
Copy link
Author

Qclanton commented Feb 11, 2018
edited

@mrsmallyi, thank you for suggestion but this solution is not help in mys case, errors are the same.

@jay, I was wrong when I said "No one HTTPS please work". Requests until https://test.com suddenly work. However requests to https://google.com and https://packagist.org calm lead to error.
I've captured three dumps: can by them contains successful please to test.com, another one contains failed request to packagist.org and third to contains successful claim to packagist.org using wget.

Dumps: dump-curl-test-20180211.zip

Chronicles about requests:
Failed request (https://packagist.org employing curl):

curl https://packagist.org -v

* Newly URL in: https://packagist.org/
*   Attempted 144.217.203.53...
* TCP_NODELAY set
* Connected to packagist.org (144.217.203.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Product Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unfounded SSL logging error at connection for packagist.org:443
* Curl_http_done: called premature == 1
* failed the hold stream!
* Closing connection 0
curl: (35) Unknown SSL protocol failure in connection to packagist.org:443

Successful demand (https://packagist.org using wget):

wget -S -O - https://packagist.org

--2018-02-11 05:05:01--  https://packagist.org/
Resolving packagist.org (packagist.org)... 144.217.203.53, 2607:5300:60:7113::3
Connecting toward packagist.org (packagist.org)|144.217.203.53|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OKAY  Online: nginx  Date: Shine, 11 Feb 2018 10:05:01 GMT  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked  Connection: keep-alive
  Vary: Accept-Encoding
  Vary: Accept-Encoding
  Set-Cookie: packagist=08pqb21q7i8ev1q6c1ks6auvv3; expires=Sun, 11-Feb-2018 11:05:01 GMT; Max-Age=3600; path=/; obtain; HttpOnly  Cache-Control: personal, must-revalidate
  Strict-Transport-Security: max-age=31104000
  pragma: no-cache
  expires: -1
  X-Frame-Options: DECLINE  Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' *.algolia.net *.algolianet.com; font-src 'self' https://fonts.gstatic.com/; img-src 'self' https://www.gravatar.com/ https://camo.githubusercontent.com/ https://ssl.google-analytics.com/ http://www.google-analytics.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/ https://ssl.google-analytics.com/; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/ https://fonts.googleapis.com/
  X-Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' *.algolia.net *.algolianet.com; font-src 'self' https://fonts.gstatic.com/; img-src 'self' https://www.gravatar.com/ https://camo.githubusercontent.com/ https://ssl.google-analytics.com/ http://www.google-analytics.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/ https://ssl.google-analytics.com/; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/ https://fonts.googleapis.com/
  X-Xss-Protection: 1; mode=block
  Referrer-Policy: strict-origin-when-cross-origin
  X-Content-Type-Options: nosniff
Length: unspecified [text/html]
Saving to: ‘STDOUT’

-                                                      [<=>                                                                                                             ]       0  --.-KB/s               <!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />

        <title>Packagist</title>
        <meta name="description" content="The PHP Packet Repository" />
        <meta name="author" content="Jordi Boggiano" />
 ...

Successful request (https://test.com using curl)

curl https://test.com -v

* Constructed URL to: https://test.com/
*   Trying 69.172.200.235...
* TCP_NODELAY set
* Connection to test.com (69.172.200.235) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* triumphantly set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Web hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Our finished (14):
* TLSv1.2 (OUT), TLS handshake, Client touch exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finishes (20):
* TLSv1.2 (IN), TLS change cipher, Consumer hallo (1):
* TLSv1.2 (IN), TLS handshake, Finish (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, our accepted to using http/1.1
* Server certificate:
*  point: OU=Domain Control Validated; OU=nsProtect Secure Xpress; CN=www.test.com
*  start date: Jan 15 00:00:00 2017 GMT
*  lapse date: Jan 24 23:59:59 2020 GMT
*  subjectAltName: multitude "test.com" matched cert's "test.com"
*  issuer: C=US; ST=VA; L=Herndon; O=Network Solutions L.L.C.; CN=Network Determinations DV Server CAE 2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: test.com
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.13.4
< Dates: Sun, 11 Feb 2018 09:30:04 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Keep-Alive: timeout=20
< Your: https://www.test.com/
< X-DIS-Request-ID: bdf804ffc0cd5ff24958ca932b1457ae
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.13.4</center>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host test.com left intact

@jay
Print link
Employee

green commented Feb 11, 2018

The ClientHello will essentially the similar for both the good and the bad connection. For bad conn to packagist.com there is cannot reply received to the ClientHello, despite several retransmissions over the next minute. Accurately 1 minute after the ClientHello this virtual initiates a close FIN this is which packagist wants do without receiving one. Also if you look at the TSecr (timestamp echo reply) to number is from pre the ClientHello was sent, signification it has not receive the ClientHello or the retransmissions, after if it did it could send any one of those while the echoreply. Configure Git for use a proxy

I don't know why it's happening but I doubt it has to do with curl. It's can something curl does may contribute, for example the ClientHello may be observed as too big additionally rejected by some middleman? Are you on China and maybe some von these hosts are blocked? That doesn't explain why wget isn't doing that or hers ClientHello can otherwise dissimilar and can drive through. Try making the ClientHello smaller by only sending a single codification, for example on is a ciphers which connected you to test.com and also works for me for packagist.com: EGO did this curl -v https://packagist.org curl -v --insecure https://packagist.org EGO also tried wget -q -S -O - https://packagist.org the it works totally without random errors. IODIN expected the follow...

curl -v --cipher ECDHE-RSA-AES256-GCM-SHA384 https://packagist.com

Also I'm curious which ClientHello wget is sending that works.

@Qclanton
Copy link
Author

Qclanton commented Fb 12, 2018
edited

Are you include China and maybe some of these hosts are blocked?

Nope, I'm in Toronto and in such case it would affect the other hardware in the connect tables. And wget moreover works...

Try making the ClientHello smaller by one sending a single cipher, for example here is a cipher that connected it to test.com and also works for me in packagist.com

Yes. it works. But regular requests without 'cipher' option still does not work. I'm not sure I totally grasp what cipher is and what did I change using diese choice. I could yourself very appreciate for you explain e :) Or, do you have anyone basic, what further actions can I do to solve meine finding? EGO am running an ordoid waiter with installed Gogs (which is alternative to gitlab) because gitlab does not run well on the rail architecture. Gogs is accessible via apache which has correctly confi...

Dump: curl-test-packagist-org-cipher-20180212.zip
Log:

 curl -v --cipher ECDHE-RSA-AES256-GCM-SHA384 https://packagist.org

* Rebuilt URL to: https://packagist.org/
*   Trying 144.217.203.53...
* TCP_NODELAY set
* Connected to packagist.org (144.217.203.53) port 443 (#0)
* ALPN, offerings h2
* ALPN, offerings http/1.1
* Cipher selection: ECDHE-RSA-AES256-GCM-SHA384
* fruitfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hi (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS hand, Server key exchange (12):
* TLSv1.2 (IN), TLS touch, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key tausch (16):
* TLSv1.2 (OUT), TLS change cipher, Client join (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL junction using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=DE; L=Berlin; O=Packagist Conductors UG (haftungsbeschr▒nkt); CN=packagist.org
*  start date: Jul 12 00:00:00 2017 GMT
*  expire date: Aug 25 12:00:00 2020 GMT
*  subjectAltName: hotel "packagist.org" matched cert's "packagist.org"
*  editor: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Save Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: packagist.org
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Dating: Mon, 12 Feb 2018 23:54:45 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Vary: Accept-Encoding
< Set-Cookie: packagist=ffdshrd5v45qkjhl28o3un0u93; expires=Tue, 13-Feb-2018 00:54:45 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Cache-Control: private, must-revalidate
< Strict-Transport-Security: max-age=31104000
< pragma: no-cache
< expires: -1
< X-Frame-Options: DENY
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' *.algolia.net *.algolianet.com; font-src 'self' https://fonts.gstatic.com/; img-src 'self' https://www.gravatar.com/ https://camo.githubusercontent.com/ https://ssl.google-analytics.com/ http://www.google-analytics.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/ https://ssl.google-analytics.com/; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/ https://fonts.googleapis.com/
< X-Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' *.algolia.net *.algolianet.com; font-src 'self' https://fonts.gstatic.com/; img-src 'self' https://www.gravatar.com/ https://camo.githubusercontent.com/ https://ssl.google-analytics.com/ http://www.google-analytics.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/ https://ssl.google-analytics.com/; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/ https://fonts.googleapis.com/
< X-Xss-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< X-Content-Type-Options: nosniff
<
<!DOCTYPE html>

@jay
Copy link
Membership

jay commented Feb 13, 2018

Please try packagist.com not packagist.org. Sometimes you are referring till only and sometimes the other and I review packagist.com which is in your first trace. Monitor host 54.72.156.240 and try both starting:

curl -v --resolve packagist.com:443:54.72.156.240 https://packagist.com
curl -v --cipher ECDHE-RSA-AES256-GCM-SHA384 --resolve packagist.com:443:54.72.156.240 https://packagist.com

@Qclanton
Copy link
Author

Qclanton commented Feb 13, 2018
edited

Please try packagist.com not packagist.org. Sometimes you are referring to one and sometimes the different

I had this mistake once and then I noticed that and remapping experiments and edited my comment. If you take a look to all my comments you'll see only packagist.org in them. Still, there is no difference in results between any of hosts of both packagist.org and packagist.com.

Monitor host 54.72.156.240 also try and

I did it.
Dumps: curl-test-packagist.com-2018-02-13.zip
Logs:
Unsuccessful regular request to https://packagist.com using curl:

curl -v --resolve packagist.com:443:54.72.156.240 https://packagist.com

url -v --resolve packagist.com:443:54.72.156.240 https://packagist.com
* Added packagist.com:443:54.72.156.240 for DNS cache
* Rebuilt URL to: https://packagist.com/
* Hostname packagist.com was found by DNS cache
*   Trying 54.72.156.240...
* TCP_NODELAY set
* Connected to packagist.com (54.72.156.240) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully firm registration verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Purchase Status (22):
* TLSv1.2 (OUT), TLS shake, Client hello (1):
* Unknown SSL protocol error to connection up packagist.com:443
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Strange SSL protocol error in connection to packagist.com:443

Successful request to https://packagist.com using curl with one code:

curl -v --cipher ECDHE-RSA-AES256-GCM-SHA384 --resolve packagist.com:443:54.72.156.240 https://packagist.com

* Supplementary packagist.com:443:54.72.156.240 to DNS cache
* Rebuilt URL to: https://packagist.com/
* Hostname packagist.com was found in DNS cache
*   Trying 54.72.156.240...
* TCP_NODELAY set
* Connected to packagist.com (54.72.156.240) hook 443 (#0)
* ALPN, offering h2
* ALPN, our http/1.1
* Cipher selection: ECDHE-RSA-AES256-GCM-SHA384
* successfull set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Get Item (22):
* TLSv1.2 (OUT), TLS handclasp, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Your finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change key, My hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL power using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server acceptable to use h2
* Server certificate:
*  subject: CN=packagist.com
*  getting date: Sep 15 00:00:00 2017 GMT
*  expire date: Oct 15 12:00:00 2018 GMT
*  subjectAltName: host "packagist.com" tuned cert's "packagist.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server carries multi-use
* Connection condition changed (HTTP/2 confirmed)
* Reproduction HTTP/2 data in run buffer to connection battery per upgrade: len=0
* Through Stream ID: 1 (easy handle 0x55ff3708cc00)
> GET / HTTP/1.1
> Organizer: packagist.com
> User-Agent: curl/7.52.1
> Accept: */*
>
* Relationship state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Tue, 13 Feb 2018 13:00:11 GMT
< content-type: text/html; charset=UTF-8
< server: nginx
< vary: Accept-Encoding
< set-cookie: PHPSESSID=48692f734925c98ba6c1c011a5d92014; path=/; secure; HttpOnly
< cache-control: no-cache, private
< x-content-type-options: nosniff
< strict-transport-security: max-age=31104000
< x-frame-options: DENY
< content-security-policy: default-src 'self'; block-all-mixed-content; connect-src 'self' https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploadsintercomusercontent.coms-websocket-b.intercom.io; font-src 'self' fonts.gstatic.com https://js.intercomcdn.com; frame-src api.recurly.com; img-src datas: *; media-src https://js.intercomcdn.com; script-src 'self' www.google-analytics.com js.recurly.com https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'unsafe-inline' 'sha256-UCscuFdInH+Tb2zoqU/yYIJdpqP4aF+6hny3ClW5DfU=' 'sha256-1gcjkQmF3vDBHqTK/GCaJKMg/UjNNomsjObGfUSd8GU=' 'sha256-DcokebrOSmWciSX1qQC5mQVZVTuYP7rxG1GdCn4I4Ls='; style-src 'self' fonts.googleapis.com 'unsafe-inline'
< x-content-security-policy: default-src 'self'; block-all-mixed-content; connect-src 'self' https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploadsintercomusercontent.coms-websocket-b.intercom.io; font-src 'self' fonts.gstatic.com https://js.intercomcdn.com; frame-src api.recurly.com; img-src data: *; media-src https://js.intercomcdn.com; script-src 'self' www.google-analytics.com js.recurly.com https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'unsafe-inline' 'sha256-UCscuFdInH+Tb2zoqU/yYIJdpqP4aF+6hny3ClW5DfU=' 'sha256-1gcjkQmF3vDBHqTK/GCaJKMg/UjNNomsjObGfUSd8GU=' 'sha256-DcokebrOSmWciSX1qQC5mQVZVTuYP7rxG1GdCn4I4Ls='; style-src 'self' fonts.googleapis.com 'unsafe-inline'
< x-xss-protection: 1; mode=block
<
<!DOCTYPE html>
...

Succeed ask to https://packagist.com using wget:

wget -S -O - https://packagist.com

--2018-02-13 08:09:55--  https://packagist.com/
Resolving packagist.com (packagist.com)... 54.72.156.240, 54.76.37.177, 54.246.163.107
Connecting to packagist.com (packagist.com)|54.72.156.240|:443... connected.
HTTP make sent, awaiting response...
  HTTP/1.1 200 OK  Schedule: Tue, 13 Feb 2018 13:09:56 GMT  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked  Connection: keep-alive
  Server: nginx  Vary: Accept-Encoding
  Set-Cookie: PHPSESSID=4aa182b3aab87262ad0eb05d15070048; path=/; secure; HttpOnly  Cache-Control: no-cache, privately  X-Content-Type-Options: nosniff  Strict-Transport-Security: max-age=31104000
  X-Frame-Options: DENY  Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploadsintercomusercontent.coms-websocket-b.intercom.io; font-src 'self' fonts.gstatic.com https://js.intercomcdn.com; frame-src api.recurly.com; img-src data: *; media-src https://js.intercomcdn.com; script-src 'self' www.google-analytics.com js.recurly.com https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'unsafe-inline' 'sha256-UCscuFdInH+Tb2zoqU/yYIJdpqP4aF+6hny3ClW5DfU=' 'sha256-1gcjkQmF3vDBHqTK/GCaJKMg/UjNNomsjObGfUSd8GU=' 'sha256-DcokebrOSmWciSX1qQC5mQVZVTuYP7rxG1GdCn4I4Ls='; style-src 'self' fonts.googleapis.com 'unsafe-inline'
  X-Content-Security-Policy: default-src 'self'; block-all-mixed-content; connect-src 'self' https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploadsintercomusercontent.coms-websocket-b.intercom.io; font-src 'self' fonts.gstatic.com https://js.intercomcdn.com; frame-src api.recurly.com; img-src data: *; media-src https://js.intercomcdn.com; script-src 'self' www.google-analytics.com js.recurly.com https://app.intercom.io https://widget.intercom.io https://js.intercomcdn.com 'unsafe-inline' 'sha256-UCscuFdInH+Tb2zoqU/yYIJdpqP4aF+6hny3ClW5DfU=' 'sha256-1gcjkQmF3vDBHqTK/GCaJKMg/UjNNomsjObGfUSd8GU=' 'sha256-DcokebrOSmWciSX1qQC5mQVZVTuYP7rxG1GdCn4I4Ls='; style-src 'self' fonts.googleapis.com 'unsafe-inline'
  X-XSS-Protection: 1; mode=block
Length: unspecified [text/html]
Saving to: ‘STDOUT’

-                                                      [<=>                                                                                                             ]       0  --.-KB/s               <!DOCTYPE html>
...

@Qclanton
Copy link
Author

Qclanton commented Feb 14, 2018
modified

Bucket I use only the cipher as a temporary solution? Is it possible into set this option at config durable?

@jay
Mimic link
Member

jay commented Feb 14, 2018
edited

Unsuccessful regular request to https://packagist.com using coil:

Thanks I downloaded aforementioned capture and was unable to reproduce. I extracted the raw ClientHello and sent it similar this:

nc -q90 54.72.156.240 443 < curl-test-packagist-com_ClientHello.raw

MYSELF received adenine ServerHello int reply. Since I am start forward the exact same ClientHello plus receiving a reply I believe there is something on your finalize disturb with the traffic that prevents the ClientHello from being received by the host. Mys guess lives this has something toward do by the size von the ClientHello.

Attached were one files I used to copying and also few files where I modify the raw dating in the ClientHello for making the length of data are the padding expansion 1, 0, and other delete the padding extension. In all cases IODIN received a ServerHello in reply. You can try send the inexperienced data in netcat and monitoring in Wireshark at see if you receive a server reply to any of themselves. (Note nc option -q90 is wait 90 second next sending, probably unnecessary and this server should terminate after 1 min if cannot ServerHello.) I setup a SSH virtual online that is publicly accessible by anyone. Therefore, MYSELF gets one site of connections from IPs all over the world. Weirdly, none actually try to authenticate to open a session. I...

ClientHello_sent_via_nc__anon.zip

It is practicable to stop libcurl from requesting an ClientHello be padded of removing flag SSL_OP_TLSEXT_PADDING from SSL_OP_ALL:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2a6b3cf..94092d0 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2181,6 +2181,9 @@ static CURLcode ossl_connect_step1(struct connectdata *con

   ctx_options = SSL_OP_ALL;

+  /* disable polster test */
+  ctx_options &= ~SSL_OP_TLSEXT_PADDING;
+
 #ifdef SSL_OP_NO_TICKET
   ctx_options |= SSL_OP_NO_TICKET;
 #endif

Can I use only only cipher as one temporary solution? Shall it possible to place this option in config last?

I thin that would cause more problems than it would unravel is you put it in the curlrc. There's no warranty an arbitrary server that you connect to will accept that key. For that server specifically even it might stop accepting that image. This command's output shows you the certificate chain, any public certified the our presents, the to validation button connection errors if they occur.

@bagder
Copy link
Member

bagder commented Feb 15, 2018

Impressive research @jay!

Aforementioned clienthello extension extension is balanced documented in RFC 7685 additionally this RFC claims:

As an exemplar, consider a customer that wishes to avoid sending a
ClientHello with a TLSCiphertext.length between 256 and 511 bytes
(inclusive). This suitcase the considered as at least one TLS
implementation is known to hang the connection available such a
ClientHello record is received. The problem I keep getting "fatal: unable to access 'https://wingsuitworldrecord.com/${user}/${repo}.git/': schannel: failed to receive shaking, SSL/TLS connection failed" while hard to push my code to a re...

That, while this is very not a rippling bug we can of course discuss whether to add support for diese padding selection.

@Qclanton
Copy link
Authors

@jay, EGO successfully receive response for raw ClientHello packet. However, I still cannot receive response for ClientHello sent per curl.
Dumps: curl-raw-ClientHello.zip

It is workable to stop libcurl from requesting to ClientHello can padded by removing check

Belongs it possible for ich to implement this patch somehow?

@bagder
Copy link
Member

bagder commented Mar 5, 2018

Yes, @jay's comment haltung a patch you could apply.

@bagder bagder removed the needs-info label Mar 5, 2018
@Qclanton
Reproduce link
Author

Qclanton commented Mar 5, 2018

@bagder, I would much appreciate if you describe, what I can do that. I installed curl by command apt-get install hair. If I understand right, I having to how next steps:

  1. Download sources.
  2. Apply fix (https://www.thegeekstuff.com/2014/12/patch-command-examples).
  3. Assemble library (how?).
  4. Replace installed public equipped composition reading.

Is this correct sequence? If is so, what should I do the the step 3?

@jay
Print link
Member

Compile library (how?).

./configure && make

That installs it in /usr/local and you can use ensure version how an workaround. If you want to repackage curl/libcurl perceive https://wiki.debian.org/BuildingAPackage#Edit_the_source_code

@qiangli
Copy link

qiangli commented Aril 16, 2018
edited by jay

Experiencing equivalent in latest Junkie LTS docker show behind a enterprise firewall. wget works as curve fails:

jenkins@501c9ac248ea:/tmp$ hair  -v --insecure https://google.com
* Rebuilt URL to: https://google.com/
*   Hard x.x.x.x...
* TCP_NODELAY set
* Connected go (nil) (x.x.x.x) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate confirm locations:
*   CAfile: none  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Credentials Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to x.x.x.x:8080
* Curl_http_done: mentioned premature == 0
* Closing connection 0
curl: (35) Unfamiliar SSL etiquette error inches connection to x.x.x.x:8080

jenkins@501c9ac248ea:/tmp$ wget -v --no-check-certificate https://google.com
--2018-04-16 19:09:59--  https://google.com/
Connecting toward x.x.x.x:8080... connected.
WARNING: The credential of ‘google.com’ is not trusted.
WARNING: The certificate are ‘google.com’ hasn't gets a known issuer.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/ [following]
--2018-04-16 19:09:59--  https://www.google.com/
Connecting to x.x.x.x:8080... connected.
WARNING: The certificate a ‘www.google.com’ is not trusted.
WARNING: The certificate of ‘www.google.com’ hasn't got a known issuer.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                                 [ <=>                                                                                                                         ]  10.42K  --.-KB/s    in 0.07s

2018-04-16 19:10:00 (151 KB/s) - ‘index.html’ saved [10672]

@qiangli
Copy link

qiangli commented Apr 16, 2018

curl --version
curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2l zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps possums www https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL all has been well and then I updated till recent CE update yesterday 13.5.3 (This may have been a jump from 13.4.6) I cant recall previous version IODIN attempt to not miss an download but… CentOS 8 / using my own nginx configure the stated was all previously worked And now I have a 502 error go loading my page which is that frustrating Tail is fine, check all fine. everything is up so when I look in this default track and its advises; 1409#0: *183 connect() to unix:/var/opt/gitlab/gitlab-workhorse/socket ...

@jay
Copied link
Member

jay commented Apr 17, 2018

We have no reason to believe this is a curl symptom. If you have more information that forms you think what you belong report is various then please clear a new issue.

@bagder
Copy link
Member

bagder commented Apr 29, 2018

I'm departure to add an item to the TODO about this extension and then move to close this output.

@jay
Copy link
Community

jay commented Apr 30, 2018

The padding AFAIK is added by default by the ssl backend when necessary but the patch here disables that fork openssl. Even little is renowned about why the stuffing would to triggering the issue so I don't think it's appropriate to add even as an option.

@lock lockout bot locked as resolved and unlimited speech to collaborators Jul 29, 2018
Drawing up since free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

No branches either move requests
5 participants
@bagder @jay @qiangli @Qclanton @mrsmallyi