Hi, Kaspar Brand schrieb: > - libcurl versions compiled against OpenSSL or GnuTLS will most likely > suffer from the same problem, so maybe an implementation with fallback > to "extension-less" TLS (or even SSL 3.0) would better go into > lib/sslgen.c, not into lib/nss.c only? I tested a curl version build with OpenSSL, and there was no prob with the mentioned URLs; a curl version build with NSS failed, and -3 'solved' it ...
see attached log. Gün.
########################################################################## curl -svI https://www.orange.sk > tmp/broken_tls_servers.txt 2>&1 -------------------------------------------------------------------------- * About to connect() to www.orange.sk port 443 (#0) * Trying 213.151.200.57... connected * Connected to www.orange.sk (213.151.200.57) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Server hello (2): { [data not shown] * SSLv3, TLS handshake, CERT (11): { [data not shown] * SSLv3, TLS handshake, Server finished (14): { [data not shown] * SSLv3, TLS handshake, Client key exchange (16): } [data not shown] * SSLv3, TLS change cipher, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Finished (20): } [data not shown] * SSLv3, TLS change cipher, Client hello (1): { [data not shown] * SSLv3, TLS handshake, Finished (20): { [data not shown] * SSL connection using AES256-SHA * Server certificate: * subject: 1.3.6.1.4.1.311.60.2.1.3=SK; 2.5.4.15=V1.0, Clause 5.(b); serialNumber=35 697 270; C=SK; postalCode=82109; ST=SK; L=Bratislava; streetAddress=Prievozska 6/A; O=Orange Slovakia a.s.; CN=www.orange.sk * start date: 2009-08-14 00:00:00 GMT * expire date: 2010-08-14 23:59:59 GMT * common name: www.orange.sk (matched) * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA * SSL certificate verify ok. > HEAD / HTTP/1.1 > User-Agent: curl/7.19.6 (x86_64-unknown-linux-gnu) libcurl/7.19.6 > OpenSSL/0.9.8i zlib/1.2.3 libidn/1.10 libssh2/0.19.0-20080814 > Host: www.orange.sk > Accept: */* > < HTTP/1.1 200 OK < Date: Sun, 18 Oct 2009 21:45:07 GMT < Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server < Set-Cookie: JSESSIONID=0a19055130d61c04c6bb3b9440e5b6b897a8feaea215.e3eMbN0LbNiPe3qTb30Oax8Sc40; path=/web < Expires: Sun, 18 Oct 2009 21:45:17 GMT < Surrogate-Control: max-age="10" < Content-Type: text/html; charset=ISO-8859-2 < X-Cache: MISS from www.orange.sk * no chunk, no close, no size. Assume close to signal end < * Closing connection #0 * SSLv3, TLS alert, Client hello (1): } [data not shown] HTTP/1.1 200 OK Date: Sun, 18 Oct 2009 21:45:07 GMT Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server Set-Cookie: JSESSIONID=0a19055130d61c04c6bb3b9440e5b6b897a8feaea215.e3eMbN0LbNiPe3qTb30Oax8Sc40; path=/web Expires: Sun, 18 Oct 2009 21:45:17 GMT Surrogate-Control: max-age="10" Content-Type: text/html; charset=ISO-8859-2 X-Cache: MISS from www.orange.sk ########################################################################## nsscurl -svI https://www.orange.sk >> tmp/broken_tls_servers.txt 2>&1 -------------------------------------------------------------------------- * About to connect() to www.orange.sk port 443 (#0) * Trying 213.151.200.57... connected * Connected to www.orange.sk (213.151.200.57) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work. * CAfile: none CApath: none * NSS error -12226 * Closing connection #0 * SSL connect error ########################################################################## nsscurl -svI3 https://www.orange.sk >> tmp/broken_tls_servers.txt 2>&1 -------------------------------------------------------------------------- * About to connect() to www.orange.sk port 443 (#0) * Trying 213.151.200.57... connected * Connected to www.orange.sk (213.151.200.57) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work. * CAfile: none CApath: none * SSL connection using SSL_RSA_WITH_RC4_128_MD5 * Server certificate: * subject: CN=www.orange.sk,O=Orange Slovakia a.s.,OID.2.5.4.9=Prievozska 6/A,L=Bratislava,ST=SK,postalCode=82109,C=SK,serialNumber=35 697 270,OID.2.5.4.15="V1.0, Clause 5.(b)",OID.1.3.6.1.4.1.311.60.2.1.3=SK * start date: Aug 14 00:00:00 2009 GMT * expire date: Aug 14 23:59:59 2010 GMT * common name: www.orange.sk * issuer: CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.19.7-20090910 (x86_64-unknown-linux-gnu) > libcurl/7.19.7-20090910 NSS/3.12.4.5 zlib/1.2.3 libidn/1.10 > libssh2/0.19.0-20080814 > Host: www.orange.sk > Accept: */* > < HTTP/1.1 200 OK < Date: Sun, 18 Oct 2009 21:46:06 GMT < Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server < Set-Cookie: JSESSIONID=0a19055a30d782e469d6d3f249aa8374d0af77a39011.e3eNaNiRah4Pe3aSch8Sch0Nay0; path=/web < Expires: Sun, 18 Oct 2009 21:46:16 GMT < Surrogate-Control: max-age="10" < Content-Type: text/html; charset=ISO-8859-2 < X-Cache: MISS from www.orange.sk * no chunk, no close, no size. Assume close to signal end < * Closing connection #0 HTTP/1.1 200 OK Date: Sun, 18 Oct 2009 21:46:06 GMT Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server Set-Cookie: JSESSIONID=0a19055a30d782e469d6d3f249aa8374d0af77a39011.e3eNaNiRah4Pe3aSch8Sch0Nay0; path=/web Expires: Sun, 18 Oct 2009 21:46:16 GMT Surrogate-Control: max-age="10" Content-Type: text/html; charset=ISO-8859-2 X-Cache: MISS from www.orange.sk
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
