Nick Miyake
2017-07-25 23:10:33 UTC
I would like to report an issue with curl 7.54.0 using the "--tls1.2" flag in macOS Sierra.
I use a cURL command of the following form to connect to a server that uses client TLS and requires a minimum version of TLS 1.2:
curl --tlsv1.2 -s -S \
--cert-type pkcs12 \
--cert "client.p12:changeit" \
--cacert "ca.cer" \
-iv -XGET https://localhost:13000/info/v1/version
This worked fine through macOS Sierra 10.12.5, which shipped with curl 7.51.0. However, macOS Sierra 10.12.6 updated its curl version to 7.54.0, and this same command no longer works.
I compiled 7.53.0 locally and confirmed that this command works and compiled 7.54.0 locally and verified that the command does not work. Interestingly, if I remove the '--tlsv1.2' flag entirely, the command works in 7.54.0 as well. The error reporting in the default version is not very helpful (it reports 'curl: (35) Unknown SSL protocol error in connection to localhost:-9836'), but in the version I compiled locally the error message is 'curl: (35) unsupported max version passed via CURLOPT_SSLVERSION'. Based on this, this appears to be a bug in the way the version parameters are set by the '--tlsv1.2'
flag.
I've attached the output of 'curl --version' and the result of running the commands below:
'curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8'
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* WARNING: SSL: The Security framework only supports loading identities that are in PKCS#12 format.
* Client certificate: localhost
* Unknown SSL protocol error in connection to localhost:-9836
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to localhost:-9836
'curl 7.54.0-DEV (x86_64-apple-darwin16.7.0) libcurl/7.54.0-DEV SecureTransport zlib/1.2.8'
* STATE: INIT => CONNECT handle 0x7fee2c800008; line 1413 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying ::1...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x7fee2c800008; line 1466 (connection #0)
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x7fee2c800008; line 1583 (connection #0)
* Marked for [keep alive]: HTTP default
* unsupported max version passed via CURLOPT_SSLVERSION
* Marked for [closure]: Failed HTTPS connection
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x7fee2c800008; line 1597 (connection #0)
* Expire cleared
* multi_done
* Closing connection 0
* The cache now contains 0 members
curl: (35) unsupported max version passed via CURLOPT_SSLVERSION
'curl 7.53.0-DEV (x86_64-apple-darwin16.7.0) libcurl/7.53.0-DEV SecureTransport zlib/1.2.8'
* STATE: INIT => CONNECT handle 0x7f974a002c08; line 1418 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying ::1...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x7f974a002c08; line 1471 (connection #0)
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x7f974a002c08; line 1588 (connection #0)
* Marked for [keep alive]: HTTP default
* WARNING: SSL: The Security framework only supports loading identities that are in PKCS#12 format.
* Client certificate: localhost
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x7f974a002c08; line 1602 (connection #0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: localhost
* Server certificate: CA
* STATE: PROTOCONNECT => DO handle 0x7f974a002c08; line 1623 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x7f974a002c08; line 1812 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x7f974a002c08; line 1822 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
Thanks,
-Nick
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.h
I use a cURL command of the following form to connect to a server that uses client TLS and requires a minimum version of TLS 1.2:
curl --tlsv1.2 -s -S \
--cert-type pkcs12 \
--cert "client.p12:changeit" \
--cacert "ca.cer" \
-iv -XGET https://localhost:13000/info/v1/version
This worked fine through macOS Sierra 10.12.5, which shipped with curl 7.51.0. However, macOS Sierra 10.12.6 updated its curl version to 7.54.0, and this same command no longer works.
I compiled 7.53.0 locally and confirmed that this command works and compiled 7.54.0 locally and verified that the command does not work. Interestingly, if I remove the '--tlsv1.2' flag entirely, the command works in 7.54.0 as well. The error reporting in the default version is not very helpful (it reports 'curl: (35) Unknown SSL protocol error in connection to localhost:-9836'), but in the version I compiled locally the error message is 'curl: (35) unsupported max version passed via CURLOPT_SSLVERSION'. Based on this, this appears to be a bug in the way the version parameters are set by the '--tlsv1.2'
flag.
I've attached the output of 'curl --version' and the result of running the commands below:
'curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8'
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* WARNING: SSL: The Security framework only supports loading identities that are in PKCS#12 format.
* Client certificate: localhost
* Unknown SSL protocol error in connection to localhost:-9836
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to localhost:-9836
'curl 7.54.0-DEV (x86_64-apple-darwin16.7.0) libcurl/7.54.0-DEV SecureTransport zlib/1.2.8'
* STATE: INIT => CONNECT handle 0x7fee2c800008; line 1413 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying ::1...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x7fee2c800008; line 1466 (connection #0)
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x7fee2c800008; line 1583 (connection #0)
* Marked for [keep alive]: HTTP default
* unsupported max version passed via CURLOPT_SSLVERSION
* Marked for [closure]: Failed HTTPS connection
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x7fee2c800008; line 1597 (connection #0)
* Expire cleared
* multi_done
* Closing connection 0
* The cache now contains 0 members
curl: (35) unsupported max version passed via CURLOPT_SSLVERSION
'curl 7.53.0-DEV (x86_64-apple-darwin16.7.0) libcurl/7.53.0-DEV SecureTransport zlib/1.2.8'
* STATE: INIT => CONNECT handle 0x7f974a002c08; line 1418 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying ::1...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x7f974a002c08; line 1471 (connection #0)
* Connection failed
* connect to ::1 port 13000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 13000 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x7f974a002c08; line 1588 (connection #0)
* Marked for [keep alive]: HTTP default
* WARNING: SSL: The Security framework only supports loading identities that are in PKCS#12 format.
* Client certificate: localhost
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x7f974a002c08; line 1602 (connection #0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: localhost
* Server certificate: CA
* STATE: PROTOCONNECT => DO handle 0x7f974a002c08; line 1623 (connection #0)
GET /info/v1/version HTTP/1.1
Host: localhost:13000
User-Agent: curl/7.53.0-DEV
Accept: */*
* STATE: DO => DO_DONE handle 0x7f974a002c08; line 1685 (connection #0)Host: localhost:13000
User-Agent: curl/7.53.0-DEV
Accept: */*
* STATE: DO_DONE => WAITPERFORM handle 0x7f974a002c08; line 1812 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x7f974a002c08; line 1822 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
Thanks,
-Nick
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.h