libcurl development talk. How to program using libcurl, and how to develop libcurl further

Yang Tse | 20 Jun 2012 10:07

Picon

schannel_connect_step3 failures

Marc, Mark et all

When testing libcurl's Schannel support on w2k I've been getting
repeatable failures in schannel_connect_step3(), more precisely in the
block that checks if the required context attributes are met.
Commenting out that block allows curl operations to succeed against
servers in the wild.

Do you have some clue about this? Is this an interoperability issue or
just something specific to this w2k installation?

--

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Marc Hoersken | 20 Jun 2012 10:19

Picon

Re: schannel_connect_step3 failures

Hi Yang,

2012/6/20 Yang Tse <yangsita <at> gmail.com>
>
> Marc, Mark et all
>
> When testing libcurl's Schannel support on w2k I've been getting
> repeatable failures in schannel_connect_step3(), more precisely in the
> block that checks if the required context attributes are met.
> Commenting out that block allows curl operations to succeed against
> servers in the wild.
>
> Do you have some clue about this? Is this an interoperability issue or
> just something specific to this w2k installation?

thanks for the report. Could you give some more details please? For
example the verbose message output?

Seeing the exact context attributes that are not met, would help me a lot.

Since I am testing on Win7 only, I have not experienced such issues
against multiple test servers.

Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

(Continue reading)

Yang Tse | 20 Jun 2012 10:31

Picon

Re: schannel_connect_step3 failures

Hi,

> Seeing the exact context attributes that are not met, would help me a lot.

Trace attached

-- 
-=[Yang]=-

10:32:23.999000 == Info: About to connect() to www.digicert.com port 443 (#0)
10:32:23.999000 == Info:   Trying 64.78.193.234...
10:32:26.253000 == Info: connected
10:32:26.253000 == Info: Connected to www.digicert.com (64.78.193.234) port 443 (#0)
10:32:26.343000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 1/3)
10:32:26.343000 == Info: schannel: checking server certificate revocation
10:32:26.473000 == Info: schannel: sending initial handshake data: sending 78 bytes...
10:32:26.473000 == Info: schannel: sent initial handshake data: sent 78 bytes
10:32:26.473000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3)
10:32:26.473000 == Info: schannel: failed to receive handshake, need more data
10:32:26.864000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3)
10:32:26.864000 == Info: schannel: encrypted data buffer: offset 4919 length 16384
10:32:26.914000 == Info: schannel: sending next handshake data: sending 314 bytes...
10:32:27.114000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 2/3)
10:32:27.114000 == Info: schannel: encrypted data buffer: offset 47 length 16384
10:32:27.224000 == Info: schannel: SSL/TLS handshake complete
10:32:27.224000 == Info: schannel: SSL/TLS connection with www.digicert.com port 443 (step 3/3)
10:32:27.224000 == Info: schannel: failed to setup sequence detection
10:32:27.224000 == Info: schannel: failed to setup replay detection
10:32:27.224000 == Info: schannel: failed to setup confidentiality

(Continue reading)

Yang Tse | 20 Jun 2012 20:23

Picon

Re: schannel_connect_step3 failures

Code sets several ISC_REQ_* bit flags in order to setup security
context, and later verifies if the flags of the security context
actually match those previously set.

The problem is that except for ISC_REQ_ALLOCATE_MEMORY, all other may
simply be ignored, changed while handshaking and even further changed
while renegotiating.

I believe the fix is to only warn if returned flags don't match
requested ones, except for the ISC_REQ_ALLOCATE_MEMORY one which
should fail hard if it doesn't match and make schannel_connect_step3
fail.

--

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Marc Hoersken | 20 Jun 2012 20:53

Picon

Re: schannel_connect_step3 failures

Hi Yang,

2012/6/20 Yang Tse <yangsita <at> gmail.com>:
> Code sets several ISC_REQ_* bit flags in order to setup security
> context, and later verifies if the flags of the security context
> actually match those previously set.
>
> The problem is that except for ISC_REQ_ALLOCATE_MEMORY, all other may
> simply be ignored, changed while handshaking and even further changed
> while renegotiating.
>
> I believe the fix is to only warn if returned flags don't match
> requested ones, except for the ISC_REQ_ALLOCATE_MEMORY one which
> should fail hard if it doesn't match and make schannel_connect_step3
> fail.

I am worried that the flags change in your use cases. And I really
don't like the idea of ignoring or just warning about non-matching
flags. ISC_RET_CONFIDENTIALITY, ISC_RET_REPLAY_DETECT and
ISC_RET_SEQUENCE_DETECT are pretty important to make sure that the SSL
connection is actually "secure". Why would you want to communicate
through an SSL connection that is actually not secure? There should be
some other way to fix this.

I am pretty busy with final exams during the following weeks, so I
would like to ask whether you or someone else could spend a little
more research on this issue before simple ignoring the source of the
actual problem. Thanks in advance, I would really appreciate it!

Best regards,

(Continue reading)

Yang Tse | 20 Jun 2012 21:21

Picon

Re: schannel_connect_step3 failures

Marc Hoersken <info <at> marc-hoersken.de> wrote:

> I am pretty busy with final exams during the following weeks, so I
> would like to ask whether you or someone else could spend a little
> more research on this issue before simple ignoring the source of the
> actual problem. Thanks in advance, I would really appreciate it!

No intention to ignore it on this side. Actually I'm raising the issue
publicly, and listening to your recommendation of not disabling the
check.

Maybe Mark has some clues on this given that he might have access to a
broader variety of Win versions.

--

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Salisbury, Mark | 21 Jun 2012 19:01

Picon

RE: schannel_connect_step3 failures

Yang, Marc, et. All,

>> I am worried that the flags change in your use cases. And I really don't like the
>> idea of ignoring or just warning about non-matching flags. 
>> ISC_RET_CONFIDENTIALITY, ISC_RET_REPLAY_DETECT and ISC_RET_SEQUENCE_DETECT 
>> are pretty important to make sure that the SSL connection is actually "secure". Why
>> would you want to communicate through an SSL connection that is actually not
>> secure? There should be some other way to fix this.

>> I am pretty busy with final exams during the following weeks, so I 
>> would like to ask whether you or someone else could spend a little 
>> more research on this issue before simple ignoring the source of the 
>> actual problem. Thanks in advance, I would really appreciate it!

>No intention to ignore it on this side. Actually I'm raising the issue publicly, and listening to your
>recommendation of not disabling the check.

I loaded the URL Yang mentioned the problem with -  https://www.digicert.com/ - without issues on WinXP and
Win7.  I don't have a Win2k machine to duplicate the problem on.

MSDN says InitializeSecurityContext() with the flags we care about here are supported from Win2k onwards.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx

One possibility is to disable the checks only on Win2k (something like #if WINVER <= 0x400).  I'd recommend
not making any change though until we learn more.  I tried a quick search of the web but did not find anything.

Mark

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library

(Continue reading)

Yang Tse | 21 Jun 2012 19:16

Picon

Re: schannel_connect_step3 failures

Salisbury, Mark <mark.salisbury <at> hp.com> wrote:

> I'd recommend not making any change though until we learn more.

I fully agree on not relaxing the check. We have plenty of time before
release to investigate, and in any case, better safe than sorry.

--

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Return

Return to gmane.comp.web.curl.library.

Project Web Page

libcurl development talk. How to program using libcurl, and how to develop libcurl further

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane