Menu

#1360 SSL regression in 7.36.0 on Amazon Linux

closed-fixed
None
5
2015-02-20
2014-04-16
Dan Rogers
No

Upgrading CURL/libCURL from:

# rpm -qi curl
Name        : curl
Version     : 7.35.0
Release     : 2.42.amzn1
Architecture: x86_64
Install Date: Thu 10 Apr 2014 08:20:19 PM PDT
Group       : Applications/Internet
Size        : 534216
License     : MIT
Signature   : RSA/SHA256, Wed 26 Feb 2014 04:51:24 PM PST, Key ID bcb4a85b21c0f39f
Source RPM  : curl-7.35.0-2.42.amzn1.src.rpm
Build Date  : Wed 26 Feb 2014 04:48:55 PM PST
Build Host  : build-31004.build
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://curl.haxx.se/
Summary     : A utility for getting files from remote servers (FTP, HTTP, and others)

To:

# rpm -qi libcurl
Name        : libcurl
Version     : 7.36.0
Release     : 2.44.amzn1
Architecture: x86_64
Install Date: Tue 15 Apr 2014 11:40:58 AM PDT
Group       : Development/Libraries
Size        : 455304
License     : MIT
Signature   : RSA/SHA256, Tue 08 Apr 2014 07:21:43 PM PDT, Key ID bcb4a85b21c0f39f
Source RPM  : curl-7.36.0-2.44.amzn1.src.rpm
Build Date  : Tue 08 Apr 2014 03:25:45 PM PDT
Build Host  : build-31003.build
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://curl.haxx.se/
Summary     : A library for getting files from web servers

Results in the following error:

# curl -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0
* Hostname was NOT found in DNS cache
*   Trying 205.251.242.187...
* Connected to s3.amazonaws.com (205.251.242.187) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -8127 (SEC_ERROR_NO_TOKEN)
* The security card or token does not exist, needs to be initialized, or has been removed.
* Closing connection 0
curl: (35) The security card or token does not exist, needs to be initialized, or has been removed.

However, using SSLv3 works:

# curl -3 -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0
* Hostname was NOT found in DNS cache
*   Trying 54.231.1.40...
* Connected to s3.amazonaws.com (54.231.1.40) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
*   start date: Apr 12 00:00:00 2014 GMT
*   expire date: Apr 13 23:59:59 2015 GMT
*   common name: s3.amazonaws.com
*   issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US

Downgrading to curl 7.35.0 allows this to function again.

Discussion

  • NaHi

    NaHi - 2014-04-16

    Same for me. Curl 7/36 + libnss could have a trouble?
    For me, curl/7.36.0 on AMI Linux gives me the error while connecting to s3-ap-northeast-1.amazonaws.com.

    [ec2-user@ip-172-31-20-184 ~]$ curl -v --url https://s3-ap-northeast-1.amazonaws.com/
    Hostname was NOT found in DNS cache
    Trying 103.246.150.250...
    Connected to s3-ap-northeast-1.amazonaws.com (103.246.150.250) port 443 (#0)
    Initializing NSS with certpath: sql:/etc/pki/nssdb
    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    NSS error -8127 (SEC_ERROR_NO_TOKEN)
    The security card or token does not exist, needs to be initialized, or has been removed.
    Closing connection 0
    curl: (35) The security card or token does not exist, needs to be initialized, or has been removed.

    But the edge server at 103.246.150.192 works fine.

    [ec2-user@ip-172-31-20-184 ~]$ curl -v --url https://s3-ap-northeast-1.amazonaws.com/
    Hostname was NOT found in DNS cache
    Trying 103.246.150.192...
    Connected to s3-ap-northeast-1.amazonaws.com (103.246.150.192) port 443 (#0)
    Initializing NSS with certpath: sql:/etc/pki/nssdb
    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    SSL connection using SSL_RSA_WITH_RC4_128_MD5
    Server certificate:
    subject: CN=.s3-ap-northeast-1.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
    start date: 11月 07 00:00:00 2013 GMT
    expire date: 10月 25 23:59:59 2014 GMT
    common name: .s3-ap-northeast-1.amazonaws.com
    issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US

    GET / HTTP/1.1
    ...

    curl 7.24 works fine against the both server.

    The difference between the server is the 2nd intermediate CA cert.

    103.246.150.192
    Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    SerialNumber: 35:97:31:87:f3:87:3a:07:32:7e:ce:58:0c:9b:7e:da

    103.246.150.242
    Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    SerialNumber: 25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd

    The key is the same.

    Some path building problem?

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-04-21

    I took it to the mailing list: http://curl.haxx.se/mail/lib-2014-04/0147.html

     
  • NaHi

    NaHi - 2014-04-22

    Daniel,

    I filed a ticket and AWS support reported us that they provide new curl package. The both curl binaries say it's 7.36.0 but the new one seems to be built with NSS 3.16 instead of 3.15.3.

    NG: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.15.3 zlib/1.2.5 libidn/1.18 libssh2/1.4.2
    OK: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.16 Basic ECC zlib/1.2.5 libidn/1.18 libssh2/1.4.2

    Try to upgrade the curl package. So far it works fine for me.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-04-22

    Thanks NaHi for confirming this. We thus believe this is fixed with such a move. Dan Rogers, can you confirm this?

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-04-22
    • status: open --> pending
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-08

    No response. Possibly and hopefully fixed.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-08
    • status: pending --> closed-fixed