[Pkg-openssl-devel] Bug#709292: closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)

Caronte Estigia sable_laser at yahoo.es
Thu May 23 07:25:10 UTC 2013 

Good Morning Kurt,

just one question. I think Alessandro reasigned the bug to both libssl and libgnutls. Am I correct?

Question is because specifying the protocol solves the problem with libssl, not with libgnutls. When I test wget with --secure-protocol it works fine when compiled with libssl but it keeps failing with libgnutls.

Could you please confirm the fact that the case is still open in libgnutls or should I file a new bug?

Best regards.
Francisco.


________________________________
 De: Debian Bug Tracking System <owner at bugs.debian.org>
Para: rodrifra <sable_laser at yahoo.es> 
Enviado: Miércoles 22 de Mayo de 2013 18:21
Asunto: Bug#709292 closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
 

This is an automatic notification regarding your Bug report
which was filed against the libssl1.0.0 package:

#709292: libssl1.0.0: "decryption failed or bad record mac" during handshake

It has been closed by Kurt Roeckx <kurt at roeckx.be>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Kurt Roeckx <kurt at roeckx.be> by
replying to this email.


-- 
709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote:
> reassign 709292 libssl1.0.0
> retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during handshake
> clone 709292 -1
> reassign -1 libgnutls26
> retitle -1 libgnutls26: segfaults during handshake
> severity -1 important
> affects -1 wget
> kthxbye
> 
> On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote:
> > Package: curl
> > Version: 7.26.0-1+wheezy2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> >    Executing the following:
> >     curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> >    Produced the next error:
> >     error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> > 
> >    Forcing SSLv3 solves the problem:
> >     curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> 
> If there's any bug, it's probably in the server's SSL implementation, since it
> can't do a proper TLS handshake, in any case it's not curl's fault. I'm
> reassigning this to openssl (which is what curl uses) to make sure there's
> nothing wrong with it.

Yes, this is the server's problems, nothing you can do about it
other than downgrading to a lower TLS version.  TLS 1.0
should work in most cases.  About 1% of the servers are known to
have this problem.

The problem is that we announce that we support TLS 1.2 to the server,
and the server should reply that it only supports 1.0, but just
closes the connection or does something else weird.  This is why
you also see this with gnutls.

There is nothing we can do in openssl or gnutls about this.  What
could be done is that something like curl or wget tries to connect
again with a lower TLS version.  But if you automate this, you
also need to think about version downgrade attacks.

Since we can't actually fix anything, and curl and wget have
options to use a lower protocol version, I'm just going to
close this bug.


KurtPackage: curl
Version: 7.26.0-1+wheezy2
Severity: normal

Dear Maintainer,

   Executing the following:
    curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
   Produced the next error:
    error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

   Forcing SSLv3 solves the problem:
    curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html

   wget has same problem in latest stable version, but oldstable works fine.


-- System Information:
Debian Release: 7.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages curl depends on:
ii  libc6     2.13-38
ii  libcurl3  7.26.0-1+wheezy2
ii  zlib1g    1:1.2.7.dfsg-13

curl recommends no packages.

curl suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20130523/528bbb32/attachment-0001.html>

More information about the Pkg-openssl-devel mailing list