Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 525496
Summary: | Unable to open some https urls, NSS error -12226 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan ONDREJ <ondrejj> |
Component: | curl | Assignee: | Kamil Dudka <kdudka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 11 | CC: | kdudka |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 7.19.7-2.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-12-18 04:18:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan ONDREJ
2009-09-24 15:16:59 UTC
Thanks for your report! > Description of problem: > Some pages cannot be opened with curl compiled with nss. It looks like a server problem to me. > Same problem described here: > http://curl.haxx.se/mail/curlphp-2008-10/0002.html It doesn't point to any libcurl neither NSS bug. > Steps to Reproduce: > 1. curl -v https://www.orange.sk/ You are asking for a secure connection (default). > Actual results: > * About to connect() to www.orange.sk port 443 (#0) > * Trying 213.151.200.57... connected > * Connected to www.orange.sk (213.151.200.57) port 443 (#0) > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * NSS error -12226 "SSL peer rejected a handshake message for unacceptable content." > Expected results: > no error, open url Which other clients have you tried to connect with? > Additional info: > Mail from above says, that recompilation with openssl works. It doesn't, at least for me: $ curl --version curl 7.19.6 (x86_64-redhat-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3 libidn/1.9 libssh2/1.2 Protocols: tftp ftp telnet dict ldap http file https ftps scp sftp Features: IDN IPv6 Largefile NTLM SSL libz $ curl -v https://www.orange.sk/ * About to connect() to www.orange.sk port 443 (#0) * Trying 213.151.200.57... connected * Connected to www.orange.sk (213.151.200.57) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter * Closing connection #0 curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter Should I improve the error message for you (to be similar to the OpenSSL one)? (In reply to comment #1) > > Actual results: > > * About to connect() to www.orange.sk port 443 (#0) > > * Trying 213.151.200.57... connected > > * Connected to www.orange.sk (213.151.200.57) port 443 (#0) > > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > > CApath: none > > * NSS error -12226 > > "SSL peer rejected a handshake message for unacceptable content." > > > Expected results: > > no error, open url > > Which other clients have you tried to connect with? For example Firefox displays correct page. Curious, that wget can't connect too. > Should I improve the error message for you (to be similar to the OpenSSL one)? May be it would be useful for others too. Then maybe bug in Firefox ... or just less requirements for security? Firefox/xulrunner use NSS for SSL, too. So it should be possible to make libcurl behave equally in case we consider this behavior harmless. I need to test it with Firefox myself first and analyze what exactly differs. Do you have some statistics how many websites are affected by the issue? Have you tried to contact the webmaster and ask some technical details about the server? As for the error message improvement, I think it *is* useful. We are working on the NSS support with some hackers from libcurl upstream in our spare time. The NSS error message reporting is one of the things we want to make better in near future. Feel free to come with another ideas how to improve the NSS support. (In reply to comment #3) > Do you have some statistics how many websites are affected by the issue? No. I know about 2 servers only. www.orange.sk and server reported in curl mailinglist. Curious, that www.orangeporta.sk says, that certificate cannot be authenticated, but www.orange.sk (same organization) raises an error. > Have > you tried to contact the webmaster and ask some technical details about the > server? No, I don't know, who is proper contact for so large organization as Orange is. The whois utility knows: $ whois orange.sk | grep @ Admin-email hostmaster Tech-email hostmaster I think the webmaster might be interested in fixing the issue as it does not seem to be Fedora (nor Linux) specific. I haven't had time to investigate it further. Leave here a note if you have some new info. As for the NSS error messages, the bug 526121 seems to be related. You can vote for it ;-) While investigating bug 527771 I realized what's different among curl and FF. Could you please try it with the option --sslv3? Thanks in advance! A scratch build is ready for testing: http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961 It should work with or without the --sslv3 option. Please test it ASAP so that I can request freeze override for F-12. (In reply to comment #6) > While investigating bug 527771 I realized what's different among curl and FF. > Could you please try it with the option --sslv3? Thanks in advance! With -3 or --sslv3 I can open my problematic page. (In reply to comment #7) > A scratch build is ready for testing: > http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961 > > It should work with or without the --sslv3 option. Please test it ASAP so that Yes, this works also with or without --sslv3. Nice work. Thank you. > I can request freeze override for F-12. I think it's enough to put this to F-12 updates. Thanks for testing it! Unfortunately there are still some open question about the patch which prevent it from getting into dist-f12. You can follow the thread at upstream mailing list: http://curl.haxx.se/mail/lib-2009-10/0080.html patch ready for review: http://permalink.gmane.org/gmane.comp.web.curl.library/25440 a new version of the patch: http://permalink.gmane.org/gmane.comp.web.curl.library/25687 fixed in curl-7.19.7-2.fc13 for now As a long-term solution Kaspar Brand has raised the issue at mozilla.org: https://bugzilla.mozilla.org/show_bug.cgi?id=526806 curl-7.19.7-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/curl-7.19.7-3.fc11 curl-7.19.7-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/curl-7.19.7-2.fc12 curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update curl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235 curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update curl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245 curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update curl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245 curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update curl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235 curl-7.19.7-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. curl-7.19.7-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |