Bug#532924: curl doesn't autodetect ssl version

Fri, 12 Jun 2009 12:34:43 -0700 

Package: curl
Version: 7.18.2-8lenny2
Severity: important

When trying to access a tomcat5.5 server running ssl with curl,
I get the following error:

* About to connect() to so-much-for-subtlety.permabit.com port 443 (#0)
*   Trying 10.95.208.30... connected
* Connected to so-much-for-subtlety.permabit.com (10.95.208.30) port 443
* (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
  * unexpected message
  * Closing connection #0

If I add the --sslv3 flag then everything works:
* About to connect() to so-much-for-subtlety.permabit.com port 443 (#0)
*   Trying 10.95.208.30... connected
* Connected to so-much-for-subtlety.permabit.com (10.95.208.30) port 443
* (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using DHE-RSA-AES256-SHA
  * Server certificate:
  *        subject: /C=US/ST=Massachusetts/L=Cambridge/O=Permabit
  *        Technology Corp./OU=Ops/CN=so-much-for-subtlety.permabit.com
  *        start date: 2009-06-12 18:49:22 GMT
  *        expire date: 2009-06-15 18:49:22 GMT
  *        common name: so-much-for-subtlety.permabit.com (matched)
  *        issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Permabit
  *        Technology Corp./CN=Permabit Testing CA
  * SSL certificate verify ok.
  * Server auth using Basic with user '*********'
  > GET /autosupport/validatecredentials HTTP/1.1
  > Authorization: Basic ***************
  > User-Agent: curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2
  > OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8 libssh2/0.18
  > Host: so-much-for-subtlety.permabit.com
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Server: Apache-Coyote/1.1
  < Pragma: No-cache
  < Cache-Control: no-cache
  < Expires: Wed, 31 Dec 1969 19:00:00 EST
  < Content-Type: text/plain;charset=ISO-8859-1
  < Content-Length: 7
  < Date: Fri, 12 Jun 2009 19:11:06 GMT
  <
  VALID
  * Connection #0 to host so-much-for-subtlety.permabit.com left intact
  * Closing connection #0
  * SSLv3, TLS alert, Client hello (1):

This seems to be a regression because on Etch, everything works without
the --sslv3 flag.  However, it also seems to be an interaction with
tomcat5.5 because things work fine when the server is running etch with
tomcat4, so this might be a Tomcat bug.

My server.xml on both servers are pretty stock:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/etc/autosupport/server.keystore"
               keystorePass="******" />

and

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true" proxyPort="443"
               acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
        <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
                 clientAuth="false" protocol="SSL" algorithm= "IbmX509"
                 keystoreFile="/etc/autosupport/server.keystore" 
keystorePass="permeon" />
    </Connector>


The versions of Tomcat are:
ii  tomcat5.5      5.5.26-5       Servlet and JSP engine
ii  tomcat4        4.1.29-1       Java Servlet 2.3 engine with JSP 1.2 support


The version of curl in Etch is:
ii  curl           7.15.5-1etch2  Get a file from an HTTP, HTTPS, FTP or GOPHER 
server
ii  libcurl3       7.15.5-1etch2  Multi-protocol file transfer library


-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (1000, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages curl depends on:
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libcurl3               7.18.2-8lenny2    Multi-protocol file transfer libra
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

curl recommends no packages.

curl suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to