Mantis - curl
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
5098 regular use major always 2013-08-02 21:39 2013-12-14 17:38
Reporter: soladmin Platform:  
Assigned To: dam OS:  
Priority: normal OS Version:  
Status: closed Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
Summary: 0005098: curl fails to connect to any site over SSL
Description: Solaris 10 using opencsw's kiel repository. Curl always fails when connecting to any system using SSL.


# curl -v https://google.com/ [^]
* About to connect() to google.com port 443 (#0)
* Trying 173.194.46.32...
* connected
* Connected to google.com (173.194.46.32) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /opt/csw/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* error:800960A0:lib(128):PK11_DIGEST_COPY:C_GetOperationState failed
* Closing connection #0
curl: (35) error:800960A0:lib(128):PK11_DIGEST_COPY:C_GetOperationState failed
Steps To Reproduce:
Additional Information: package installed catalog
CSWcacertificates 20120511,REV=2012.05.11 SAME
CSWcas-migrateconf 1.47,REV=2012.02.14 SAME
CSWcas-preserveconf 1.49,REV=2013.03.13 SAME
CSWcommon 1.5,REV=2010.12.11 SAME
CSWcurl 7.28.1,REV=2013.05.12 SAME
CSWggettext-data 0.18.1.1,p,REV=2011.03.15 SAME
CSWiconv 1.14,REV=2011.08.08 SAME
CSWisaexec 0.2,REV=2009.03.26 SAME
CSWlibcharset1 1.14,REV=2011.08.07 SAME
CSWlibcurl4 7.28.1,REV=2013.05.12 SAME
CSWlibiconv2 1.14,REV=2011.08.07 SAME
CSWlibidn11 1.26,REV=2013.01.01 SAME
CSWlibintl8 0.18.1.1,p,REV=2011.03.15 SAME
CSWlibssl1-0-0 1.0.1e,REV=2013.03.30 SAME
CSWlibz1 1.2.7,REV=2012.06.14 SAME
CSWpkgutil 2.6.5,REV=2012.08.15 SAME
CSWtop 3.8beta1,REV=2011.11.23 SAME
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2013-08-02 21:39 soladmin New Issue
2013-08-05 10:50 dam Status new => assigned
2013-08-05 10:50 dam Assigned To => dam
2013-08-05 11:01 dam Note Added: 0010511
2013-08-05 21:19 dam Note Added: 0010514
2013-08-05 21:19 dam Status assigned => confirmed
2013-08-05 21:33 dam Note Added: 0010515
2013-08-07 20:56 yann Note Added: 0010516
2013-08-07 20:57 yann Issue Monitored: yann
2013-08-07 23:45 yann Note Added: 0010517
2013-08-07 23:55 soladmin Note Added: 0010518
2013-12-14 17:38 dam Status confirmed => closed
2013-12-14 17:38 dam Resolution open => fixed

Notes
(0010511)
dam   
2013-08-05 11:01   
I just verified with unstable and it also fails to connect:


dam@login [login]:/home/dam > curl -v https://google.com [^]
* About to connect() to google.com port 443 (#0)
* Trying 74.125.136.138...
* connected
* Connected to google.com (74.125.136.138) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /opt/csw/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* Unknown SSL protocol error in connection to google.com:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to google.com:443
zsh: 13637 exit 35 curl -v https://google.com [^]

However, there are also other issues reported against OpenSSL 1.0 bindings, so these may be related.
(0010514)
dam   
2013-08-05 21:19   
I just talked to Yann who maintains our OpenSSL package and it turns out the issue is indeed related
to OpenSSL and it only seems to occur on Sparc.
(0010515)
dam   
2013-08-05 21:33   
Until the issue is resolved you can add --sslv3 as a workaround
(0010516)
yann   
2013-08-07 20:56   
I tracked the origin of the problem in the patch applied to enable the pkcs11 engine.

I don't know exactly why it causes some failures and it will takes some time to find out, so I will release shortly a new version of the openssl package with pkcs11 engine disabled under sparc.

I'll keep you updated.

Yann
(0010517)
yann   
2013-08-07 23:45   
Could you try the following packages in my experimental repository and tell me if it works ?
http://buildfarm.opencsw.org/opencsw/experimental/yann/sparc/5.10/libssl1_0_0-1.0.1e,REV=2013.08.07-SunOS5.10-sparc-CSW.pkg.gz [^]
http://buildfarm.opencsw.org/opencsw/experimental/yann/sparc/5.10/libssl_dev-1.0.1e,REV=2013.08.07-SunOS5.10-sparc-CSW.pkg.gz [^]
http://buildfarm.opencsw.org/opencsw/experimental/yann/sparc/5.10/openssl_utils-1.0.1e,REV=2013.08.07-SunOS5.10-sparc-CSW.pkg.gz [^]
(0010518)
soladmin   
2013-08-07 23:55   
I installed the new patches you list, and they fix the problem I was encountering. Thanks for working on this!