Thanks for your report!

> Description of problem:
> Some pages cannot be opened with curl compiled with nss.

It looks like a server problem to me.

> Same problem described here:
>   http://curl.haxx.se/mail/curlphp-2008-10/0002.html

It doesn't point to any libcurl neither NSS bug.

> Steps to Reproduce:
> 1. curl -v https://www.orange.sk/

You are asking for a secure connection (default).

> Actual results:
> * About to connect() to www.orange.sk port 443 (#0)
> *   Trying 213.151.200.57... connected
> * Connected to www.orange.sk (213.151.200.57) port 443 (#0)
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * NSS error -12226

"SSL peer rejected a handshake message for unacceptable content."

> Expected results:
> no error, open url

Which other clients have you tried to connect with?

> Additional info:
> Mail from above says, that recompilation with openssl works.  

It doesn't, at least for me:
$ curl --version
curl 7.19.6 (x86_64-redhat-linux-gnu) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3 libidn/1.9 libssh2/1.2
Protocols: tftp ftp telnet dict ldap http file https ftps scp sftp
Features: IDN IPv6 Largefile NTLM SSL libz

$ curl -v https://www.orange.sk/
* About to connect() to www.orange.sk port 443 (#0)
*   Trying 213.151.200.57... connected
* Connected to www.orange.sk (213.151.200.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
* Closing connection #0
curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

Should I improve the error message for you (to be similar to the OpenSSL one)?

(In reply to comment #1)
> > Actual results:
> > * About to connect() to www.orange.sk port 443 (#0)
> > *   Trying 213.151.200.57... connected
> > * Connected to www.orange.sk (213.151.200.57) port 443 (#0)
> > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >   CApath: none
> > * NSS error -12226
> 
> "SSL peer rejected a handshake message for unacceptable content."
> 
> > Expected results:
> > no error, open url
> 
> Which other clients have you tried to connect with?

For example Firefox displays correct page.
Curious, that wget can't connect too.

> Should I improve the error message for you (to be similar to the OpenSSL one)?  

May be it would be useful for others too.

Then maybe bug in Firefox ... or just less requirements for security?

Firefox/xulrunner use NSS for SSL, too. So it should be possible to make libcurl behave equally in case we consider this behavior harmless. I need to test it with Firefox myself first and analyze what exactly differs.

Do you have some statistics how many websites are affected by the issue? Have you tried to contact the webmaster and ask some technical details about the server?

As for the error message improvement, I think it *is* useful. We are working on the NSS support with some hackers from libcurl upstream in our spare time. The NSS error message reporting is one of the things we want to make better in near future. Feel free to come with another ideas how to improve the NSS support.

(In reply to comment #3)
> Do you have some statistics how many websites are affected by the issue?

No. I know about 2 servers only. www.orange.sk and server reported in curl mailinglist.
Curious, that www.orangeporta.sk says, that certificate cannot be authenticated, but www.orange.sk (same organization) raises an error.

> Have
> you tried to contact the webmaster and ask some technical details about the
> server?

No, I don't know, who is proper contact for so large organization as Orange is.

The whois utility knows:

$ whois orange.sk | grep @
Admin-email         hostmaster
Tech-email          hostmaster

I think the webmaster might be interested in fixing the issue as it does not seem to be Fedora (nor Linux) specific. I haven't had time to investigate it further. Leave here a note if you have some new info.

As for the NSS error messages, the bug 526121 seems to be related. You can vote for it ;-)

While investigating bug 527771 I realized what's different among curl and FF. Could you please try it with the option --sslv3? Thanks in advance!

A scratch build is ready for testing:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961

It should work with or without the --sslv3 option. Please test it ASAP so that I can request freeze override for F-12.

(In reply to comment #6)
> While investigating bug 527771 I realized what's different among curl and FF.
> Could you please try it with the option --sslv3? Thanks in advance!  

With -3 or --sslv3 I can open my problematic page.

(In reply to comment #7)
> A scratch build is ready for testing:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=1733961
> 
> It should work with or without the --sslv3 option. Please test it ASAP so that

Yes, this works also with or without --sslv3. Nice work. Thank you.

> I can request freeze override for F-12.  

I think it's enough to put this to F-12 updates.

Thanks for testing it! Unfortunately there are still some open question about the patch which prevent it from getting into dist-f12. You can follow the thread at upstream mailing list:

http://curl.haxx.se/mail/lib-2009-10/0080.html

patch ready for review:

http://permalink.gmane.org/gmane.comp.web.curl.library/25440

a new version of the patch:

http://permalink.gmane.org/gmane.comp.web.curl.library/25687

fixed in curl-7.19.7-2.fc13 for now

As a long-term solution Kaspar Brand has raised the issue at mozilla.org:

https://bugzilla.mozilla.org/show_bug.cgi?id=526806

curl-7.19.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/curl-7.19.7-3.fc11

curl-7.19.7-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/curl-7.19.7-2.fc12

curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235

curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245

curl-7.19.7-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12245

curl-7.19.7-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update curl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12235

curl-7.19.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

curl-7.19.7-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.