RE: schannel_connect_step3 failures
Yang, Marc, et. All, I am worried that the flags change in your use cases. And I really don't like the idea of ignoring or just warning about non-matching flags. ISC_RET_CONFIDENTIALITY, ISC_RET_REPLAY_DETECT and ISC_RET_SEQUENCE_DETECT are pretty important to make sure that the SSL connection is actually secure. Why would you want to communicate through an SSL connection that is actually not secure? There should be some other way to fix this. I am pretty busy with final exams during the following weeks, so I would like to ask whether you or someone else could spend a little more research on this issue before simple ignoring the source of the actual problem. Thanks in advance, I would really appreciate it! No intention to ignore it on this side. Actually I'm raising the issue publicly, and listening to your recommendation of not disabling the check. I loaded the URL Yang mentioned the problem with - https://www.digicert.com/ - without issues on WinXP and Win7. I don't have a Win2k machine to duplicate the problem on. MSDN says InitializeSecurityContext() with the flags we care about here are supported from Win2k onwards. http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx One possibility is to disable the checks only on Win2k (something like #if WINVER = 0x400). I'd recommend not making any change though until we learn more. I tried a quick search of the web but did not find anything. Mark --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Salisbury, Mark mark.salisb...@hp.com wrote: I'd recommend not making any change though until we learn more. I fully agree on not relaxing the check. We have plenty of time before release to investigate, and in any case, better safe than sorry. -- -=[Yang]=- --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Hi Yang, 2012/6/20 Yang Tse yangs...@gmail.com Marc, Mark et all When testing libcurl's Schannel support on w2k I've been getting repeatable failures in schannel_connect_step3(), more precisely in the block that checks if the required context attributes are met. Commenting out that block allows curl operations to succeed against servers in the wild. Do you have some clue about this? Is this an interoperability issue or just something specific to this w2k installation? thanks for the report. Could you give some more details please? For example the verbose message output? Seeing the exact context attributes that are not met, would help me a lot. Since I am testing on Win7 only, I have not experienced such issues against multiple test servers. Best regards, Marc --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Hi, Seeing the exact context attributes that are not met, would help me a lot. Trace attached -- -=[Yang]=- 10:32:23.999000 == Info: About to connect() to www.digicert.com port 443 (#0) 10:32:23.999000 == Info: Trying 64.78.193.234... 10:32:26.253000 == Info: connected 10:32:26.253000 == Info: Connected to www.digicert.com (64.78.193.234) port 443 (#0) 10:32:26.343000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 1/3) 10:32:26.343000 == Info: schannel: checking server certificate revocation 10:32:26.473000 == Info: schannel: sending initial handshake data: sending 78 bytes... 10:32:26.473000 == Info: schannel: sent initial handshake data: sent 78 bytes 10:32:26.473000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3) 10:32:26.473000 == Info: schannel: failed to receive handshake, need more data 10:32:26.864000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3) 10:32:26.864000 == Info: schannel: encrypted data buffer: offset 4919 length 16384 10:32:26.914000 == Info: schannel: sending next handshake data: sending 314 bytes... 10:32:27.114000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3) 10:32:27.114000 == Info: schannel: encrypted data buffer: offset 47 length 16384 10:32:27.224000 == Info: schannel: SSL/TLS handshake complete 10:32:27.224000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 3/3) 10:32:27.224000 == Info: schannel: failed to setup sequence detection 10:32:27.224000 == Info: schannel: failed to setup replay detection 10:32:27.224000 == Info: schannel: failed to setup confidentiality 10:32:27.224000 == Info: schannel: failed to setup stream orientation 10:32:27.224000 == Info: Closing connection #0 10:32:27.224000 == Info: schannel: shutting down SSL/TLS connection with www.digicert.com port 443 --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Code sets several ISC_REQ_* bit flags in order to setup security context, and later verifies if the flags of the security context actually match those previously set. The problem is that except for ISC_REQ_ALLOCATE_MEMORY, all other may simply be ignored, changed while handshaking and even further changed while renegotiating. I believe the fix is to only warn if returned flags don't match requested ones, except for the ISC_REQ_ALLOCATE_MEMORY one which should fail hard if it doesn't match and make schannel_connect_step3 fail. -- -=[Yang]=- --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Hi Yang, 2012/6/20 Yang Tse yangs...@gmail.com: Code sets several ISC_REQ_* bit flags in order to setup security context, and later verifies if the flags of the security context actually match those previously set. The problem is that except for ISC_REQ_ALLOCATE_MEMORY, all other may simply be ignored, changed while handshaking and even further changed while renegotiating. I believe the fix is to only warn if returned flags don't match requested ones, except for the ISC_REQ_ALLOCATE_MEMORY one which should fail hard if it doesn't match and make schannel_connect_step3 fail. I am worried that the flags change in your use cases. And I really don't like the idea of ignoring or just warning about non-matching flags. ISC_RET_CONFIDENTIALITY, ISC_RET_REPLAY_DETECT and ISC_RET_SEQUENCE_DETECT are pretty important to make sure that the SSL connection is actually secure. Why would you want to communicate through an SSL connection that is actually not secure? There should be some other way to fix this. I am pretty busy with final exams during the following weeks, so I would like to ask whether you or someone else could spend a little more research on this issue before simple ignoring the source of the actual problem. Thanks in advance, I would really appreciate it! Best regards, Marc --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel_connect_step3 failures
Marc Hoersken i...@marc-hoersken.de wrote: I am pretty busy with final exams during the following weeks, so I would like to ask whether you or someone else could spend a little more research on this issue before simple ignoring the source of the actual problem. Thanks in advance, I would really appreciate it! No intention to ignore it on this side. Actually I'm raising the issue publicly, and listening to your recommendation of not disabling the check. Maybe Mark has some clues on this given that he might have access to a broader variety of Win versions. -- -=[Yang]=- --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html