Le 2021-12-09 09:12, Thierry Huchard a écrit :
Le 2021-12-08 18:03, Dan Fandrich via curl-library a écrit :
On Wed, Dec 08, 2021 at 02:53:54PM +0100, Thierry Huchard via
curl-library wrote:
I am the maintainer of the sane-escl backend, I have an error on an
https
access on a canon XK90 scanner.
If you have an idea of why and how to bypass it, I'm interested!
curl_handle = curl_easy_init();
curl_easy_setopt(curl_handle, CURLOPT_URL,
"https://192.168.yyy.xxx:443/eSCL/ScannerCapabilities";);
curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION,
memory_callback_c);
curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)var);
curl_easy_setopt(curl_handle, CURLOPT_HEADERFUNCTION,
header_callback);
curl_easy_setopt(curl_handle, CURLOPT_HEADERDATA, (void
*)header);
curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1L);
curl_easy_setopt(curl_handle, CURLOPT_MAXREDIRS, 3L);
CURLcode res = curl_easy_perform(curl_handle);
if (res != CURLE_OK) {
printf("respond: %s\n", curl_easy_strerror(res)); //
respond: SSL
connect error
Could it be similar to Github issue #5356? Namely, the scanner is
running
years-old firmware that uses a long-obsolete TLS version and OpenSSL
is
now refusing to talk to it for security reasons? What TLS back-end is
your
libcurl using? What TLS version does the scanner want to use?
On FreeBSD 12.2-RELEASE, the version of OpenSSL is 1.1.1k and curl is
7.73.0
For the device in question the documentation is not easy to read, the
ideal would have been in French, I could have arranged with English,
but Japanese, not possible!
So I have no information about it, I know that http requests work. I
would have liked to force the discussion.
I will test the https connection and switch to http if it fails...
Thanks for the feedback!
Thierry
Here is the information returned by the user:
* Environment
| $ uname -a
| FreeBSD aquarius-vm.sign.local 12.2-RELEASE-p11 FreeBSD
12.2-RELEASE-p11 r370982 GENERIC amd64
| $ openssl version
| OpenSSL 1.1.1h-freebsd 24 Aug 2021
| $ curl --version
| curl 7.79.1 (amd64-portbld-freebsd12.2) libcurl/7.79.1 OpenSSL/1.1.1h
zlib/1.2.11 libssh2/1.9.0 nghttp2/1.44.0
| Release-Date: 2021-09-22
| Protocols: dict file ftp ftps gopher gophers http https imap imaps
pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
| Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6
Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
| $
By default, curl fails to connect.
| $ curl -vk https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS alert, handshake failure (552):
| * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
| * Closing connection 0
| curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure
But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
described above.
| $ curl -vk --tls-max 1.1
https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.1 (OUT), TLS handshake, Client hello (1):
| * TLSv1.1 (IN), TLS handshake, Server hello (2):
| * TLSv1.1 (IN), TLS handshake, Certificate (11):
| * TLSv1.1 (IN), TLS handshake, Server finished (14):
| * TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
| * TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.1 (OUT), TLS handshake, Finished (20):
| * TLSv1.1 (IN), TLS handshake, Finished (20):
| * SSL connection using TLSv1.1 / AES256-SHA
| * ALPN, server did not agree to a protocol
| * Server certificate:
| * subject: CN=192.168.0.108
| * start date: Jan 1 00:00:00 2019 GMT
| * expire date: Dec 31 23:59:59 2038 GMT
| * issuer: CN=CanonIJProductF8A26DA2A5240001
| * SSL certificate verify result: unable to get local issuer
certificate (20), continuing anyway.
| > GET /eSCL/ScannerCapabilities HTTP/1.1
| > Host: 192.168.0.108
| > User-Agent: curl/7.79.1
| > Accept: */*
| >
| * Mark bundle as not supporting multiuse
| < HTTP/1.1 200 OK
| < MIME-Version: 1.0
| < Transfer-Encoding: chunked
| < Content-Type: text/xml
| < Connection: close
(snip)
| * TLSv1.1 (IN), TLS alert, close notify (256):
| * TLSv1.1 (OUT), TLS alert, close notify (256):
| $
FYI, Firefox (91.3.0esr and 95.0) can connect to XK90 with TLS1.2.
Thierry
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
