Your message dated Wed, 22 May 2013 18:09:59 +0200 with message-id <[email protected]> and subject line Re: Bug#709292: curl: Connection to https server produces SSL error. has caused the Debian Bug report #709292, regarding libssl1.0.0: "decryption failed or bad record mac" during handshake to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: curl Version: 7.26.0-1+wheezy2 Severity: normal Dear Maintainer, Executing the following: curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html Produced the next error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Forcing SSLv3 solves the problem: curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html wget has same problem in latest stable version, but oldstable works fine. -- System Information: Debian Release: 7.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages curl depends on: ii libc6 2.13-38 ii libcurl3 7.26.0-1+wheezy2 ii zlib1g 1:1.2.7.dfsg-13 curl recommends no packages. curl suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote: > reassign 709292 libssl1.0.0 > retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during > handshake > clone 709292 -1 > reassign -1 libgnutls26 > retitle -1 libgnutls26: segfaults during handshake > severity -1 important > affects -1 wget > kthxbye > > On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote: > > Package: curl > > Version: 7.26.0-1+wheezy2 > > Severity: normal > > > > Dear Maintainer, > > > > Executing the following: > > curl -o pruebacurl.html > > https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html > > Produced the next error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record mac > > > > Forcing SSLv3 solves the problem: > > curl -3 -o pruebacurl.html > > https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html > > If there's any bug, it's probably in the server's SSL implementation, since it > can't do a proper TLS handshake, in any case it's not curl's fault. I'm > reassigning this to openssl (which is what curl uses) to make sure there's > nothing wrong with it. Yes, this is the server's problems, nothing you can do about it other than downgrading to a lower TLS version. TLS 1.0 should work in most cases. About 1% of the servers are known to have this problem. The problem is that we announce that we support TLS 1.2 to the server, and the server should reply that it only supports 1.0, but just closes the connection or does something else weird. This is why you also see this with gnutls. There is nothing we can do in openssl or gnutls about this. What could be done is that something like curl or wget tries to connect again with a lower TLS version. But if you automate this, you also need to think about version downgrade attacks. Since we can't actually fix anything, and curl and wget have options to use a lower protocol version, I'm just going to close this bug. Kurt
--- End Message ---
