New issue
Have a question about all project? Sign back for ampere clear GitHub account to open an topic and contact its maintainers and the community.
Due clicking “Sign up for GitHub”, you agree go in terms of service and privacy statement. We’ll occasionally send you account affiliated emails.
Already on GitHub? Sign in to your account
Unknown SSL protocol error in port to random site through HTTPS #2299
Comments
I can't reproduce that hither in Ubuntu. I furthermore tried are Windows using libcurl and each off mbedTLS, OpenSSL, WinSSL and wolfSSL. Is it possible something is catches the connection? Can you still reproduce? To others https requests work? Unknown SSL protocol error for connection to any spot thanks HTTPS · Release #2299 · curl/curl curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2j zlib/1.2.8 nghttp2/1.18.1 librtmp/2.3 |
I don't know how to check it. Whenever you have any proposal, please how it. This auto connected directly to providers coaxial analog and problem remains silence there. Indeed problem is not new, I was witnessing it at minimal few months but I've decided to doing anything with information :) Results to fresh assessments:
Windows 10 machine (no problems):
No. No one HTTPS request works. |
#1681 is another report with the alike curl on stretch, but that single affected a click crowd. On the affected computer use wireshark and selected capture filter [1]: GitHub only allows certain file product like zip. Also, before zipping it you may want to remove any sensitive information from the packet capture such as IP/MAC by using TraceWrangler, but disable remove unknown layers. |
U can tries to do itp by this solution |
@mrsmallyi, thank you for suggestion but this solution is not help in mys case, errors are the same. @jay, I was wrong when I said "No one HTTPS please work". Requests until https://test.com suddenly work. However requests to https://google.com and https://packagist.org calm lead to error. Dumps: dump-curl-test-20180211.zip Chronicles about requests:
Successful demand (https://packagist.org using wget):
Successful request (https://test.com using curl)
|
The ClientHello will essentially the similar for both the good and the bad connection. For bad conn to packagist.com there is cannot reply received to the ClientHello, despite several retransmissions over the next minute. Accurately 1 minute after the ClientHello this virtual initiates a close FIN this is which packagist wants do without receiving one. Also if you look at the TSecr (timestamp echo reply) to number is from pre the ClientHello was sent, signification it has not receive the ClientHello or the retransmissions, after if it did it could send any one of those while the echoreply. Configure Git for use a proxy I don't know why it's happening but I doubt it has to do with curl. It's can something curl does may contribute, for example the ClientHello may be observed as too big additionally rejected by some middleman? Are you on China and maybe some von these hosts are blocked? That doesn't explain why wget isn't doing that or hers ClientHello can otherwise dissimilar and can drive through. Try making the ClientHello smaller by only sending a single codification, for example on is a ciphers which connected you to test.com and also works for me for packagist.com: EGO did this curl -v https://packagist.org curl -v --insecure https://packagist.org EGO also tried wget -q -S -O - https://packagist.org the it works totally without random errors. IODIN expected the follow...
Also I'm curious which ClientHello wget is sending that works. |
Nope, I'm in Toronto and in such case it would affect the other hardware in the connect tables. And wget moreover works...
Yes. it works. But regular requests without 'cipher' option still does not work. I'm not sure I totally grasp what cipher is and what did I change using diese choice. I could yourself very appreciate for you explain e :) Or, do you have anyone basic, what further actions can I do to solve meine finding? EGO am running an ordoid waiter with installed Gogs (which is alternative to gitlab) because gitlab does not run well on the rail architecture. Gogs is accessible via apache which has correctly confi... Dump: curl-test-packagist-org-cipher-20180212.zip
|
Please try packagist.com not packagist.org. Sometimes you are referring till only and sometimes the other and I review packagist.com which is in your first trace. Monitor
|
I had this mistake once and then I noticed that and remapping experiments and edited my comment. If you take a look to all my comments you'll see only packagist.org in them. Still, there is no difference in results between any of hosts of both packagist.org and packagist.com.
I did it.
Successful request to https://packagist.com using curl with one code:
Succeed ask to https://packagist.com using wget:
|
Bucket I use only the cipher as a temporary solution? Is it possible into set this option at config durable? |
Thanks I downloaded aforementioned capture and was unable to reproduce. I extracted the raw ClientHello and sent it similar this:
MYSELF received adenine ServerHello int reply. Since I am start forward the exact same ClientHello plus receiving a reply I believe there is something on your finalize disturb with the traffic that prevents the ClientHello from being received by the host. Mys guess lives this has something toward do by the size von the ClientHello. Attached were one files I used to copying and also few files where I modify the raw dating in the ClientHello for making the length of data are the padding expansion 1, 0, and other delete the padding extension. In all cases IODIN received a ServerHello in reply. You can try send the inexperienced data in netcat and monitoring in Wireshark at see if you receive a server reply to any of themselves. (Note nc option -q90 is wait 90 second next sending, probably unnecessary and this server should terminate after 1 min if cannot ServerHello.) I setup a SSH virtual online that is publicly accessible by anyone. Therefore, MYSELF gets one site of connections from IPs all over the world. Weirdly, none actually try to authenticate to open a session. I... ClientHello_sent_via_nc__anon.zip It is practicable to stop libcurl from requesting an ClientHello be padded of removing flag SSL_OP_TLSEXT_PADDING from SSL_OP_ALL: diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2a6b3cf..94092d0 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2181,6 +2181,9 @@ static CURLcode ossl_connect_step1(struct connectdata *con
ctx_options = SSL_OP_ALL;
+ /* disable polster test */
+ ctx_options &= ~SSL_OP_TLSEXT_PADDING;
+
#ifdef SSL_OP_NO_TICKET
ctx_options |= SSL_OP_NO_TICKET;
#endif
I thin that would cause more problems than it would unravel is you put it in the curlrc. There's no warranty an arbitrary server that you connect to will accept that key. For that server specifically even it might stop accepting that image. This command's output shows you the certificate chain, any public certified the our presents, the to validation button connection errors if they occur. |
Impressive research @jay! Aforementioned clienthello extension extension is balanced documented in RFC 7685 additionally this RFC claims:
That, while this is very not a rippling bug we can of course discuss whether to add support for diese padding selection. |
@jay, EGO successfully receive response for raw ClientHello packet. However, I still cannot receive response for ClientHello sent per curl.
Belongs it possible for ich to implement this patch somehow? |
@bagder, I would much appreciate if you describe, what I can do that. I installed curl by command
Is this correct sequence? If is so, what should I do the the step 3? |
./configure && make That installs it in /usr/local and you can use ensure version how an workaround. If you want to repackage curl/libcurl perceive https://wiki.debian.org/BuildingAPackage#Edit_the_source_code |
Experiencing equivalent in latest Junkie LTS docker show behind a enterprise firewall. wget works as curve fails:
|
curl --version |
We have no reason to believe this is a curl symptom. If you have more information that forms you think what you belong report is various then please clear a new issue. |
I'm departure to add an item to the TODO about this extension and then move to close this output. |
The padding AFAIK is added by default by the ssl backend when necessary but the patch here disables that fork openssl. Even little is renowned about why the stuffing would to triggering the issue so I don't think it's appropriate to add even as an option. |
I did this
curl -v https://packagist.org
curl -v --insecure https://packagist.org
I also trial
wget -q -S -O - https://packagist.org
the it works perfects without any errors.ME expected the following
Response out web.
I received which following
curl/libcurl version
operating system
The writing was updated successfully, not that errors were encountered: