Bug#935557: curl complains about DH parameters, even with -k

Brian Minton Fri, 23 Aug 2019 15:09:32 -0700

Package: curl
Version: 7.65.3-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I'm trying to use curl with an old server on my local net. The server has a
self-signed certificate and I don't care about the security, so I've added the
- - -k (--insecure) switch.  This should make curl connect anyway, disregarding
security.  However, I see the following error:

$ curl -v -k --resolve sandbox1.dev.wordpress.example.com:443:10.16.160.13 
https://sandbox1.dev.wordpress.example.com
* Added sandbox1.dev.wordpress.example.com:443:10.16.160.13 to DNS cache
* Hostname sandbox1.dev.wordpress.example.com was found in DNS cache
*   Trying 10.16.160.13:443...
* TCP_NODELAY set
* Connected to sandbox1.dev.wordpress.example.com (10.16.160.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1 
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs  
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
* Closing connection 0
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

This seems similar to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788
except that in this case, I'm explicitly telling curl to disregard security.


- -- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.1.12 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages curl depends on:
ii  libc6     2.28-10
ii  libcurl4  7.65.3-1
ii  zlib1g    1:1.2.11.dfsg-1

curl recommends no packages.

curl suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQT5xLt2Dng/DewQpoprjrOgZc+6qQUCXWBjUQAKCRBrjrOgZc+6
qfntAP442C0BvhyEzBKhWhBD6HYQTaFAVYKnB5qUYnTNbORJHgD+JlnLEiOyvg9E
10UYplV0ggwmtc28GDUICepP9CD+7eCIiAQBFggAMBYhBO7QFYAT3C5tbgAepDe5
UHrP8gFuBQJdYGNYEhxicmlhbkBtaW50b24ubmFtZQAKCRA3uVB6z/IBbh+EAQCt
LOzbeM0fEtiUydrKH1l/giwtpWgY5+G0qxoldwUSnAEA9mRnXRp0TdiElpAdxrus
hHhz9OBZgC2udhxgCcLeOQ0=
=5HYJ
-----END PGP SIGNATURE-----

Bug#935557: curl complains about DH parameters, even with -k

Reply via email to