On Thu October 8 2009 01:50:30 Peter Sylvester wrote: > firefox doesn't use ssl v2 anymore. I remember 5 years ago, > there was even a bug in mozilla. Even when turning off v2 > the compatible client hello was send. The tests of which > ssl versions are enabledwere were badly combined to > find out which hello should be sent. > > I don't know whether this ever got fixed.
I've traced the working Firefox on the same URL (full trace attached). The scenario was following: 1) it tried to connect with: enableSSL2 = 0, enableSSL3 = 1, enableTLS = 1, v2CompatibleHello = 0, 2) then it tried to connect with: enableSSL2 = 0, enableSSL3 = 1, enableTLS = 0, v2CompatibleHello = 1, It looks like sort of workaround for some buggy servers to me, not yet looked at the source code. Maybe we want to dig it out of Firefox and put it to libcurl. Any ideas? Kamil
$ firefox -g https://tcs.mysap.com/invoke/tc/getCert?SAPServerCA.der MOZILLA_FIVE_HOME=/usr/lib64/firefox-3.5.3 LD_LIBRARY_PATH=/usr/lib64/firefox-3.5.3:/usr/lib64/firefox-3.5.3/plugins:/usr/lib64/firefox-3.5.3 DISPLAY=:0.0 FONTCONFIG_PATH=/etc/fonts:/usr/lib64/firefox-3.5.3/res/Xft DYLD_LIBRARY_PATH=/usr/lib64/firefox-3.5.3:/usr/lib64/firefox-3.5.3 LIBRARY_PATH=/usr/lib64/firefox-3.5.3:/usr/lib64/firefox-3.5.3/components:/usr/lib64/firefox-3.5.3 SHLIB_PATH=/usr/lib64/firefox-3.5.3:/usr/lib64/firefox-3.5.3 LIBPATH=/usr/lib64/firefox-3.5.3:/usr/lib64/firefox-3.5.3 ADDON_PATH=/usr/lib64/firefox-3.5.3 MOZ_PROGRAM=/usr/lib64/firefox-3.5.3/firefox MOZ_TOOLKIT= moz_debug=1 moz_debugger= which: no ddd in (/home/xdudka00/bin:/home/xdudka00/bin:/usr/lib64/qt-3.3/bin:/usr/kerberos/bin:/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/xdudka00/bin) /usr/bin/gdb /usr/lib64/firefox-3.5.3/firefox -x /tmp/mozargs.WerGml GNU gdb (GDB) Fedora (6.8.50.20090302-38.fc11) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... (gdb) b ssl2_BeginClientHandshake Function "ssl2_BeginClientHandshake" not defined. Breakpoint 1 (ssl2_BeginClientHandshake) pending. (gdb) r [Thread debugging using libthread_db enabled] [New Thread 0x7f312aaf0910 (LWP 31510)] [New Thread 0x7f3129cff910 (LWP 31511)] [New Thread 0x7f31289ff910 (LWP 31512)] [New Thread 0x7f3127abd910 (LWP 31513)] [New Thread 0x7f3126aff910 (LWP 31514)] [New Thread 0x7f3125efe910 (LWP 31515)] [New Thread 0x7f31251ff910 (LWP 31516)] [Thread 0x7f3126aff910 (LWP 31514) exited] [Thread 0x7f3125efe910 (LWP 31515) exited] [New Thread 0x7f31247fe910 (LWP 31517)] [Thread 0x7f31251ff910 (LWP 31516) exited] [Thread 0x7f3127abd910 (LWP 31513) exited] [New Thread 0x7f3125efe910 (LWP 31518)] [New Thread 0x7f3126aff910 (LWP 31519)] [New Thread 0x7f31251ff910 (LWP 31520)] [New Thread 0x7f311a9c9910 (LWP 31521)] [New Thread 0x7f3119dff910 (LWP 31522)] [Thread 0x7f3119dff910 (LWP 31522) exited] [Switching to Thread 0x7f3125efe910 (LWP 31518)] Breakpoint 1, ssl2_BeginClientHandshake (ss=0x7f3119e4c000) at sslcon.c:3000 3000 { Current language: auto; currently c (gdb) print ss->url $1 = 0x7f3119e217d0 "tcs.mysap.com" (gdb) print ss->opt $2 = { useSecurity = 1, useSocks = 0, requestCertificate = 0, requireCertificate = 2, handshakeAsClient = 1, handshakeAsServer = 0, enableSSL2 = 0, enableSSL3 = 1, enableTLS = 1, noCache = 0, fdx = 0, v2CompatibleHello = 0, detectRollBack = 1, noStepDown = 0, bypassPKCS11 = 0, noLocks = 0, enableSessionTickets = 1 } (gdb) c Breakpoint 1, ssl2_BeginClientHandshake (ss=0x7f3119e4c000) at sslcon.c:3000 3000 { (gdb) print ss->url $3 = 0x7f3119e217c0 "tcs.mysap.com" (gdb) print ss->opt $4 = { useSecurity = 1, useSocks = 0, requestCertificate = 0, requireCertificate = 2, handshakeAsClient = 1, handshakeAsServer = 0, enableSSL2 = 0, enableSSL3 = 1, enableTLS = 0, noCache = 0, fdx = 0, v2CompatibleHello = 1, detectRollBack = 1, noStepDown = 0, bypassPKCS11 = 0, noLocks = 0, enableSessionTickets = 1 } (gdb) c
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
