Re: Making tlsv1 the default protocol

Wed, 22 Oct 2014 09:45:24 -0700 

On Wed, Oct 22, 2014 at 05:43:00PM +0200, Florian Weimer wrote:
> 
> Can you provide more details?  This should definitely not happen.

Sure.

I've two boxes, a debian squeeze up to date with the latest
security releases:

 curl:    7.21.0-2.1+squeeze9
 openssl: 0.9.8o-4squeeze17
 apache2: 2.2.22-13+deb7u3

and a debian wheezy, with the 
latest official:

 curl:     7.26.0-1+wheezy10
 openssl:  1.0.1e-2+deb7u13
 apache2:  2.2.22-13+deb7u3

Apache is configured to only support tls (-sslv2, -sslv3).

In the following I'll use source- and dest- with wheezy and squeeze
suffixes to identify from where I'm making my requests.

If do the following request from the source-squeeze to a protected
URL in the destination box, I don't get any output:

[[
#source-squeeze: curl -I -s -L  https://dest-wheezy.example.com/protected/
]]

The only way I get a result is if I force the protocol to be
tls in the curl call:

[[
#source-squeeze: curl --tlsv1 -I -s \
                  -L https://dest-wheezy.example.com/protected/
HTTP/1.1 401 Authorization Required
Date: Wed, 22 Oct 2014 16:29:28 GMT
Server: Apache/2
WWW-Authenticate: Basic ...
]]

If I attempt the same command from a wheeze source box
(source-wheezy), I do get the results I was expecting: 

[[
#source-wheezy: curl -I -s -L   https://dest-wheezy.example.com/protected/
 HTTP/1.1 401 Authorization Required
 Date: Wed, 22 Oct 2014 16:27:46 GMT
 Server: Apache/2
 WWW-Authenticate: Basic ...
]]

I started having the failing behavior in squeeze once I updated
the server's config to disable sslv3.

Note that I don't have this problem when using source-squeeze,
target-squeeze, even if its sslv3 is disabled. 
As the stackoverflow report I refered to says, this behavior only 
happens when the origin request box
uses openssl 0.98 and the target one uses openssl 1.0.

I don't have the problem in the opposite direction with a source-wheezy
and target-squeeze.

As I can't update the squeeze box to wheezy right now and the
tool having the problems is a binary proprietary one, the 
temporary solution I found was to patch libcurl to use tlsv1 as 
the default value for ssl.

I hope this is not TMI or too confusing to follow. Please
contact me if you need further info or tests.

Regards,

-jose
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to