-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error in curl after version 7.50.1 and not before with FTPS TLSV1.0 with client certificate #1316
Comments
I can't reproduce this. I've tried various curls both before and after and 7.50.1 built against OpenSSL since that's what you seem to be using, and the results are a consistent (and expected in my case) handshake failure almost certainly due to lack of client cert. What is the
|
Hi jay, best regards. moderator edit: requested github remove images from aws due to sensitive information @jay |
I requested github remove your screenshots from their servers (and they did) because even though you tried to wipe out your password it could still be reconstructed in at least one. I suggest you change your password. Also please don't give us screenshots just post the curl -V data in and for additional information you can post it in or attach text files. Looking at your two curls the one that works to make the connections is built against OpenSSL 1.0.2 and the one that doesn't work to make the connections is built against OpenSSL 1.1.0. So I think that could be something. Also OpenSSL 1.0.2 connection uses I would capture the packets in Wireshark of a failed connection using the curl w/ OpenSSL 1.1.0. There is a chance that even though it sets TLSv1.0 that version of OpenSSL can't do it, or it's a bug in curl that for some reason it isn't being set. |
Hi Jay, |
Thanks. To sum up:
Working:
Not working:
In the not-working case the cipher suites sent for TLS v1.0 include various AES, CAMELLIA and SEED but do not include 3DES. AFAICT some 3DES is required for TLS v1.0 and 1.1 so the question is why it isn't being sent. For reference here are all the required ciphers based on TLS version: TLS v1.0, RFC 2246 section 9:
TLS v1.1, RFC 4346 section 9:
TLS v1.2, RFC 5246 section 9:
curl uses a default cipher list when built against OpenSSL. Based on your output your curls use this default list. #define DEFAULT_CIPHER_SELECTION \
"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" AFAICT from the OpenSSL 1.1.0 cipher manpage none of those disable 3DES. (Note You could try And someone tell me what this means from the RFCs: So who is responsible here for ensuring 3DES is sent for TLS v1.x ? My interpretation of these RFCs is unless TLS v1.2 was explicitly requested the 3DES mandatory ciphers should be sent. Is OpenSSL breaking the RFCs by not including 3DES by default any longer? Shouldn't it be built in, even if it's not in the default cipher lists or ALL, so that an application like curl can include it for TLSv1.x? |
The real-world has moved beyond the RFC's and 3DES is really bad. If you want it you need to configure with enable-weak-ciphers and put "@SECLEVEL=0" on your cipher string. |
I should have read that blog post all the way through. It looks like 3DES has various weaknesses and the post describes one specific serious one sweet32, which is why it is disabled now in OpenSSL 1.1. I'm not sure what to do in a case like this. |
If you need to interop and require 3DES, see my advice above. |
Ok, but I am curious though what is the disadvantage of leaving it built in even if it is disabled by default, that way apps could get that interop without users having to rebuild OpenSSL? Have any other apps reported something similar? |
At this point it becomes a discussion more appropriate for the openssl-users mailing list, https://mta.openssl.org to join. |
Ok I understand, thanks. @lpmd2000 to connect to that server using curl w/OpenSSL 1.1 you would first need to rebuild OpenSSL 1.1 with 3DES support as Rich mentioned earlier. If you don't have any problems using OpenSSL 1.0.2 there is a contributor pre-built curl with OpenSSL 1.0.2k on the downloads page Win32, from Darren Owen. bedae9315a24420d5bbf80e95930cad1d3345b908d670220cbf83a287b9db99f Remove the included ca-bundle.crt and download the latest cacert.pem and rename it curl-ca-bundle.crt, or use your own ca bundle. e62a07e61e5870effa81b430e1900778943c228bd7da1259dd6a955ee2262b47 |
Hi,
We are trying to connect to a ftps server with tlsv1.0 with a client certificate. Before version 7.50.0 everything was OK. But after 7.50.1 we have an error saying "error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security"
We were exepecting to connect sucessfully as before, wat could be wrong.
The problema occurs on version curl 7.50.1 and after.
curl -v -u ftps0004:**** --tlsv1.0 --ftp-method nocwd --cacert d:\filebroker\certificates\verisignCA3.cer --cert "d:\temp\pedro_quaresma.pem" --cert-type "PEM" ftps://gateway.coface.com/
Operation System windows 2012.
I have atached two log files one, with version 7.50 and the other one (failing) with 7.51.
best regards,
Luis
Connect_not_OK_7.51.txt
Connect_OK_7.50.txt
The text was updated successfully, but these errors were encountered: