Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

schannel: failed to decrypt data, need more data error in window11 with libcurl #14807

Open
anu743 opened this issue Sep 6, 2024 · 7 comments
Labels
TLS Windows Windows-specific

Comments

@anu743
Copy link

anu743 commented Sep 6, 2024

I did this

when try to download a file using curl through proxy and below command:
curl -fvk --proxy 120.0.0.1:3501 -o Test.bin <URL_to_download> -v -k -l
download is successful but : "schannel: failed to decrypt data, need more data " error is coming

TLS handshake was successful

i tried running with --tls-max 1.2 flag and --ssl-no-revoke flag but still the issue is coming

its happening only when i tried to download the file from windows.

but how to confirm that this is issue with windows and TLS compatability.

I expected the following

expected to completed the download without errors

curl/libcurl version

curl/8.2.1

operating system

window11

@icing
Copy link
Contributor

icing commented Sep 6, 2024

Do you see an error returned by curl or is it just the message that you think should not happen?

@anu743
Copy link
Author

anu743 commented Sep 6, 2024

Curl is returning this error during download.
when i do the request from windows.

logs:
< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.11.0-rc1-62-git-90adf28
<

  • CONNECT phase completed
  • CONNECT tunnel established, response 200
  • schannel: disabled automatic use of client certificate
    GET

Host: eddlargedataadls2cgwtest.blob.core.windows.net
User-Agent: curl/8.2.1
Accept: /

  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
    < HTTP/1.1 200 OK
    < Content-Length: 524288037
    < Content-Type: application/octet-stream
    < Content-MD5: olMZCY3LMWL5cm6dA7F+aA==
    < Last-Modified: Wed, 28 Aug 2024 13:56:20 GMT
    < Accept-Ranges: bytes
    < ETag: "0x8DCC7693238AF04"
    < Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    < x-ms-request-id: 51e34464-801e-0021-7159-f98b1c000000
    < x-ms-version: 2022-11-02
    < x-ms-resource-type: file
    < x-ms-creation-time: Tue, 16 Apr 2024 08:42:56 GMT
    < x-ms-lease-status: unlocked
    < x-ms-lease-state: available
    < x-ms-blob-type: BlockBlob
    < x-ms-server-encrypted: true
    < x-ms-owner: $superuser
    < x-ms-group: $superuser
    < x-ms-permissions: rw-r-----
    < Date: Wed, 28 Aug 2024 14:46:39 GMT
    <
    { [15724 bytes data]
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data
  • schannel: failed to decrypt data, need more data

so this schannel error is keep printing until the download completes

@icing
Copy link
Contributor

icing commented Sep 6, 2024

So the download completes successfully, but the stream of messages is - understandably - annoying. Did I get this right?

@anu743
Copy link
Author

anu743 commented Sep 6, 2024

its not about annoying..
just wanted to make sure , that its not effecting the download and why this error is happening.
how can i fix it or resolve it.

or confirm that its causing due to windows compatibility with TLS and curl

@bagder bagder added TLS Windows Windows-specific labels Sep 6, 2024
bagder added a commit that referenced this issue Sep 6, 2024
It is misleading and wrong.

Reported-by: Annpurna
Fixes #14807
icing added a commit to icing/curl that referenced this issue Sep 6, 2024
Turn most infof() and DEBUGF() traces into CURL_TRC_CF() statements
that do not appear on normal verbose output.

refs curl#14807
@icing
Copy link
Contributor

icing commented Sep 6, 2024

its not about annoying.. just wanted to make sure , that its not effecting the download and why this error is happening. how can i fix it or resolve it.

or confirm that its causing due to windows compatibility with TLS and curl

It is not an error indication, e.g. nothing has gone wrong. The cause of this is that the Schannel library gets a chunk of data from your proxy that is not a complete TLS record. Therefore, it cannot decode it and needs the rest of the packet's data. When it arrives, it will complete the decryption and everything is fine.

Under most network conditions, TLS packets arrive pretty much complete and it is rare that this happens. But your proxy seems to forward the data in chunks that make this more frequent. Why it does that, I do not know.

@anu743
Copy link
Author

anu743 commented Sep 6, 2024

okay, Thanks a lot for the clarification.

@jay
Copy link
Member

jay commented Sep 6, 2024

We are discussing moving this message into a level of tracing or eliminating it. What it basically means is decryption failed because the received message is incomplete. Depending on network conditions you may see it very frequently in verbose.

jay added a commit to jay/curl that referenced this issue Sep 8, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Sep 8, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Sep 8, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Sep 27, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Sep 28, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Sep 28, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
jay added a commit to jay/curl that referenced this issue Oct 5, 2024
- Create a new macro SCH_DEV() to manage verbose debug messages that are
  only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: curl#14807

Closes #xxxxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
TLS Windows Windows-specific
Development

Successfully merging a pull request may close this issue.

4 participants