Package: libcurl3-gnutls
Version: 7.38.0-4+deb8u3
Severity: normal
Tags: upstream patch jessie
Dear Maintainer,
TLS Alert processing in curl gnutls backend is broken and return error
when server sends (non-fatal) TLS Alert message (e.g. due to
unrecognized SNI name).
You can test it with slightly modified doc/examples/https.c (I only
replaced www.example.com to random host taken from another bugreport
that trigger this bug; attached).
$ gcc -o https https.c /usr/lib/*/libcurl-gnutls.so.3
$ ./https >/dev/null
curl_easy_perform() failed: SSL peer certificate or SSH remote key was
not OK
This bug is already fixed upstream in commit
d5aab55b3353bec1d34a2e1434399d23db79b254 (between 7.42 and 7.43, so
stretch/sid should be fine [but I have not tried to check]),
however jessie version is still broken. This commit can be cleanly
cherry-picked to 7.38 and fixes the problem (verified).
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100,
'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libcurl3-gnutls depends on:
ii libc6 2.19-18
ii libcomerr2 1.42.12-1.1
ii libgnutls-deb0-28 3.3.8-6+deb8u3
ii libgssapi-krb5-2 1.12.1+dfsg-19
ii libidn11 1.29-1+b2
ii libk5crypto3 1.12.1+dfsg-19
ii libkrb5-3 1.12.1+dfsg-19
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u1
ii libnettle4 2.7.1-5
ii librtmp1 2.4+20150115.gita107cef-1
ii libssh2-1 1.4.3-4.1+deb8u1
ii multiarch-support 2.19-18
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages libcurl3-gnutls recommends:
ii ca-certificates 20141019+deb8u1
libcurl3-gnutls suggests no packages.
-- no debconf information
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2012, Daniel Stenberg, <dan...@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at http://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#include <stdio.h>
#include <curl/curl.h>
int main(void)
{
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://stech.muecke.pw/");
#ifdef SKIP_PEER_VERIFICATION
/*
* If you want to connect to a site who isn't using a certificate that is
* signed by one of the certs in the CA bundle you have, you can skip the
* verification of the server's certificate. This makes the connection
* A LOT LESS SECURE.
*
* If you have a CA cert for the server stored someplace else than in the
* default bundle, then the CURLOPT_CAPATH option might come handy for
* you.
*/
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
#endif
#ifdef SKIP_HOSTNAME_VERIFICATION
/*
* If the site you're connecting to uses a different host name that what
* they have mentioned in their server certificate's commonName (or
* subjectAltName) fields, libcurl will refuse to connect. You can skip
* this check, but this will make the connection less secure.
*/
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
#endif
/* Perform the request, res will get the return code */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
/* always cleanup */
curl_easy_cleanup(curl);
}
curl_global_cleanup();
return 0;
}
>From 6e0ff31d469ec6690b85e2bd19052ae1a66f98fa Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dbarysh...@gmail.com>
Date: Wed, 20 May 2015 22:50:55 +0300
Subject: [PATCH] gtls: don't fail on non-fatal alerts during handshake
Stop curl from failing when non-fatal alert is received during
handshake. This e.g. fixes lots of problems when working with https
sites through proxies.
(cherry picked from commit d5aab55b3353bec1d34a2e1434399d23db79b254)
---
lib/vtls/gtls.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index d64f95d..b98195f 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -320,7 +320,8 @@ static CURLcode handshake(struct connectdata *conn,
if(strerr == NULL)
strerr = gnutls_strerror(rc);
- failf(data, "gnutls_handshake() warning: %s", strerr);
+ infof(data, "gnutls_handshake() warning: %s\n", strerr);
+ continue;
}
else if(rc < 0) {
const char *strerr = NULL;
--
2.1.4