Re: Bug#685402: libcurl3-gnutls: curl_easy_perform() fails with error 35 (SSL connect error)

Mon, 20 Aug 2012 10:37:48 -0700 

[ CCing curl-library mailing list ]

Hi,

On Mon, Aug 20, 2012 at 04:03:38PM +0200, Olivier Berger wrote:
> I've compiled the https.c example (http://curl.haxx.se/libcurl/c/https.html),
> adapted to connect to fusionforge.int-evry.fr on port 443, adding :
>  curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
>  #define SKIP_PEER_VERIFICATION 1
>  #define SKIP_HOSTNAME_VERIFICATION 1
> with :
> $ gcc -g -o https https.c -l curl
> 
> I'm getting :
> $ ./https 
> * About to connect() to fusionforge.int-evry.fr port 443 (#0)
> *   Trying 157.159.11.57...
> * connected
> * Connected to fusionforge.int-evry.fr (157.159.11.57) port 443 (#0)
> * found 0 certificates in /etc/ssl/certs/ca-certificates.crt
> * gnutls_handshake() failed: A TLS warning alert has been received.
> * Closing connection #0
> * SSL connect error
> curl_easy_perform() failed: error 35
> curl_easy_perform() failed: SSL connect error
> 
> It looks like a handshake error, but I cannot manage to go any further at 
> understanding the problem.

Seems like something on the server-side, but AFAICT it only happens with GnuTLS:

> % gnutls-cli --insecure -p 443 fusionforge.int-evry.fr
> [...]
> *** Non fatal error: A TLS warning alert has been received.
> *** Received alert [112]: The server name sent was not recognized
> [...]

Though, being a non-fatal error, IMO curl shouldn't fail (in fact gnutls-cli
proceeds fine after the warning). Also, maybe showing the actual alert instead
of "A TLS warning alert has been received" would be nice too.

Attached is a patch that calls gnutls_error_is_fatal() on the gnutls_handshake()
error code to check if it's fatal. Though I'm not sure if it is the correct fix.

I'll do some additional testing ASAP (when I'll have a bit of time), but in the
meantime any comment is appreciated.

Attached also a minimal test case.

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

From 2ae35d66fe939fee917f115005843ab49cb5d944 Mon Sep 17 00:00:00 2001
From: Alessandro Ghedini <[email protected]>
Date: Mon, 20 Aug 2012 16:47:48 +0200
Subject: [PATCH] gnutls: do not fail on non-fatal handshake errors

---
 lib/gtls.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/gtls.c b/lib/gtls.c
index c750a6f..a912e31 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -302,15 +302,17 @@ static CURLcode handshake(struct connectdata *conn,
       if(nonblocking)
         return CURLE_OK;
     }
+    else if((rc < 0) && gnutls_error_is_fatal(rc)) {
+      failf(data, "gnutls_handshake() warning: %s", gnutls_strerror(rc));
+    }
     else if(rc < 0) {
       failf(data, "gnutls_handshake() failed: %s", gnutls_strerror(rc));
       return CURLE_SSL_CONNECT_ERROR;
     }
-    else {
-      /* Reset our connect state machine */
-      connssl->connecting_state = ssl_connect_1;
-      return CURLE_OK;
-    }
+
+    /* Reset our connect state machine */
+    connssl->connecting_state = ssl_connect_1;
+    return CURLE_OK;
   }
 }
 
-- 
1.7.10.4


#include <assert.h>
#include <curl/curl.h>

int main(void) {
	CURL *curl;
	CURLcode res;

	curl = curl_easy_init();
	assert(curl);

	curl_easy_setopt(curl, CURLOPT_URL, "https://fusionforge.int-evry.fr:443";);
	curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);

	res = curl_easy_perform(curl);
	assert(res == CURLE_OK);

	curl_easy_cleanup(curl);

	return 0;
}

Attachment: signature.asc
Description: Digital signature

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to