0004931: "git clone https: ..." fails: Request to upgrade OpenSSL to 1.0.0h or newer.

(0009789)
maciej (reporter)
2012-04-02 18:07

Could it be the issue of simply installing libcurl_feature?

(0009791)
zephyrus00jp (reporter)
2012-04-04 09:18

I will look into it. But the log message is not mentioning any missing modules, etc. Hmm...

(0009792)
zephyrus00jp (reporter)
2012-04-04 16:36

I think it was libssl_feature instead of libcurl_feature.

Still no go.

Here is the ldd output of /opt/csw/bin/curl:

ldd /opt/csw/bin/curl
        libcurl.so.4 => /opt/csw/lib/libcurl.so.4
        libidn.so.11 => /opt/csw/lib/libidn.so.11
        libssl.so.0.9.8 => /opt/csw/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 => /opt/csw/lib/libcrypto.so.0.9.8
        libsocket.so.1 => /lib/libsocket.so.1
        libnsl.so.1 => /lib/libnsl.so.1
        libz.so.1 => /opt/csw/lib/libz.so.1
        libc.so.1 => /lib/libc.so.1
        libintl.so.8 => /opt/csw/lib/libintl.so.8
        libiconv.so.2 => /opt/csw/lib/libiconv.so.2
        libdl.so.1 => /lib/libdl.so.1
        libmp.so.2 => /lib/libmp.so.2
        libmd.so.1 => /lib/libmd.so.1
        libscf.so.1 => /lib/libscf.so.1
        libdoor.so.1 => /lib/libdoor.so.1
        libuutil.so.1 => /lib/libuutil.so.1
        libgen.so.1 => /lib/libgen.so.1
        libcurl-feature.so.4 => /opt/csw/lib/libcurl-feature.so.4
        libfbopenssl.so.0 => /opt/csw/lib/libfbopenssl.so.0
        libcares.so.2 => /opt/csw/lib/libcares.so.2
        libssh2.so.1 => /opt/csw/lib/libssh2.so.1
        liblber-2.4.so.2 => /opt/csw/lib/liblber-2.4.so.2
        libldap-2.4.so.2 => /opt/csw/lib/libldap-2.4.so.2
        librtmp.so.0 => /opt/csw/lib/librtmp.so.0
        libresolv.so.2 => /lib/libresolv.so.2
        libsasl2.so.2 => /opt/csw/lib/libsasl2.so.2
        libm.so.2 => /lib/libm.so.2
zephyr@zephyrus:~/repos$

zephyr@zephyrus:~/repos$ /opt/csw/bin/curl --version
curl 7.24.0 (i386-pc-solaris2.9) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5 c-ares/1.7.5 libidn/1.24 libssh2/1.3.0 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SPNEGO SSL libz
zephyr@zephyrus:~/repos$

I wonder what makes the difference between the installation under solaris10
and the working linux version.
All I could see is that linux uses openssl 1.0.0h while solaris installation
uses openssl-0.9.8t.

TIA

(0009793)
zephyrus00jp (reporter)
2012-04-05 06:04

On a different LINUX PC where git clone https: ... worked,
I found that it uses OpenSSL/0.9.8o (!).

I can't see what is wrong now.

curl --version
curl 7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.6 libidn/1.23 libssh2/1.2.6
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
userid@debian-vbox-userid:/extra/userid/download/repos$ ls /usr/lib/libcurl*
/usr/lib/libcurl.so.3@ /usr/lib/libcurl.so.4@ /usr/lib/libcurl.so.4.2.0
userid@debian-vbox-userid:/extra/userid/download/repos$

all I can say is that
git invokes git -> git-remote-https -> uses curl and friends (of course, SSL related), and then fails on Solaris.
If the binaries are not the culprit, maybe the CA-certificate data is
not quite complete? I will dig into it.

(0009794)
zephyrus00jp (reporter)
2012-04-10 05:19

I am still trying to figure out.
One thing that looks odd is that
solaris log doesn't show any key exchange sequences.
I wonder if there is some kind of protocol mismatch somewhere that can be changed by configuration changes.

Solaris failure log (excerpted near the beginning) from

Connected to bitbucket.org (207.223.240.182) port 443 (#0)
* SSL: couldn't set callback!
* successfully set certificate verify locations:
* CAfile: none
  CApath: /opt/csw/ssl/certs
* WARNING: failed to configure server name indication (SNI) TLS extension
  ??? key exchange is missing here in comparison to linux dump ...???
* SSL connection using AES256-SHA

Linux log :

* Connected to bitbucket.org (207.223.240.182) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:

Since log messages may vary between different versions, I think I really should home in "couldn't set callback!" problem.

I tried installing openssl 1.0.0, and replaced the dynamic library, but still no go. Then I realize that OpenSSL API may not be binary compatible between 1.0.0 and previous versions.

So I may have to re-install from source
- openssl 1.0.0
- libcurl
- git
and try if the combination fixes the issue.
Stay tuned...

(0009844)
yann (manager)
2012-04-29 19:41

Hi,

Is your problem still current ?

If it's the case, could you run the command that failed with truss:
truss -o /tmp/truss.out -f command

and attach the truss output (truss.out) to this bug ?

Yann

(0009852)
zephyrus00jp (reporter)
2012-05-06 19:27

Sorry, I didn't notice this follow-up: I am on a business trip until 13 May, and
once I get back. I will send the truss log output.

As far as I can tell though, there was no easily-to-spot smoking gun.
(Or that the log output between different versions seem to be different enough to
make the comparison rather difficult. But again, someone familiar with curl and ssl code may be able to spot the strange part immediately.)

TIA

(0009865)
yann (manager)
2012-05-17 12:58

Hi zephyrus,

Seems you didn't have the time to send the log yet :)

For information, I just released openssl 1.0.1 in the unstable repository, but git need to be rebuilt with it so you can test if openssl is the problem.
You may want to open a bug in our bugtracker in the git project.

(0009866)
zephyrus00jp (reporter)
2012-05-17 18:30

Sorry, I will try the new built of libraries against your 1.0.1 ssl, thank you, over the weekend. (Got back from the trip but so many e-mails / tasks to catch up.).

(0010085)
yann (manager)
2012-08-07 23:39

No news, good news ?

(0010100)
yann (manager)
2012-08-26 12:39

Hi Zephyrus,

I will soon close the bug.
Keep updated if you have some more information.

Don't worry, you can always open a new bug later if necessary.

Yann

(0010154)
yann (manager)
2012-10-02 21:38

I am closing this bug.
Feel free to reopen a new one if necessary.

Notes
(0009789) maciej (reporter) 2012-04-02 18:07	Could it be the issue of simply installing libcurl_feature?

(0009791) zephyrus00jp (reporter) 2012-04-04 09:18	I will look into it. But the log message is not mentioning any missing modules, etc. Hmm...

(0009792) zephyrus00jp (reporter) 2012-04-04 16:36	I think it was libssl_feature instead of libcurl_feature. Still no go. Here is the ldd output of /opt/csw/bin/curl: ldd /opt/csw/bin/curl libcurl.so.4 => /opt/csw/lib/libcurl.so.4 libidn.so.11 => /opt/csw/lib/libidn.so.11 libssl.so.0.9.8 => /opt/csw/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 => /opt/csw/lib/libcrypto.so.0.9.8 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libz.so.1 => /opt/csw/lib/libz.so.1 libc.so.1 => /lib/libc.so.1 libintl.so.8 => /opt/csw/lib/libintl.so.8 libiconv.so.2 => /opt/csw/lib/libiconv.so.2 libdl.so.1 => /lib/libdl.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libcurl-feature.so.4 => /opt/csw/lib/libcurl-feature.so.4 libfbopenssl.so.0 => /opt/csw/lib/libfbopenssl.so.0 libcares.so.2 => /opt/csw/lib/libcares.so.2 libssh2.so.1 => /opt/csw/lib/libssh2.so.1 liblber-2.4.so.2 => /opt/csw/lib/liblber-2.4.so.2 libldap-2.4.so.2 => /opt/csw/lib/libldap-2.4.so.2 librtmp.so.0 => /opt/csw/lib/librtmp.so.0 libresolv.so.2 => /lib/libresolv.so.2 libsasl2.so.2 => /opt/csw/lib/libsasl2.so.2 libm.so.2 => /lib/libm.so.2 zephyr@zephyrus:~/repos$ zephyr@zephyrus:~/repos$ /opt/csw/bin/curl --version curl 7.24.0 (i386-pc-solaris2.9) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5 c-ares/1.7.5 libidn/1.24 libssh2/1.3.0 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SPNEGO SSL libz zephyr@zephyrus:~/repos$ I wonder what makes the difference between the installation under solaris10 and the working linux version. All I could see is that linux uses openssl 1.0.0h while solaris installation uses openssl-0.9.8t. TIA

(0009793) zephyrus00jp (reporter) 2012-04-05 06:04	On a different LINUX PC where git clone https: ... worked, I found that it uses OpenSSL/0.9.8o (!). I can't see what is wrong now. curl --version curl 7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.6 libidn/1.23 libssh2/1.2.6 Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz userid@debian-vbox-userid:/extra/userid/download/repos$ ls /usr/lib/libcurl* /usr/lib/libcurl.so.3@ /usr/lib/libcurl.so.4@ /usr/lib/libcurl.so.4.2.0 userid@debian-vbox-userid:/extra/userid/download/repos$ all I can say is that git invokes git -> git-remote-https -> uses curl and friends (of course, SSL related), and then fails on Solaris. If the binaries are not the culprit, maybe the CA-certificate data is not quite complete? I will dig into it.

(0009794) zephyrus00jp (reporter) 2012-04-10 05:19	I am still trying to figure out. One thing that looks odd is that solaris log doesn't show any key exchange sequences. I wonder if there is some kind of protocol mismatch somewhere that can be changed by configuration changes. Solaris failure log (excerpted near the beginning) from Connected to bitbucket.org (207.223.240.182) port 443 (#0) * SSL: couldn't set callback! * successfully set certificate verify locations: * CAfile: none CApath: /opt/csw/ssl/certs * WARNING: failed to configure server name indication (SNI) TLS extension ??? key exchange is missing here in comparison to linux dump ...??? * SSL connection using AES256-SHA Linux log : * Connected to bitbucket.org (207.223.240.182) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA * Server certificate: Since log messages may vary between different versions, I think I really should home in "couldn't set callback!" problem. I tried installing openssl 1.0.0, and replaced the dynamic library, but still no go. Then I realize that OpenSSL API may not be binary compatible between 1.0.0 and previous versions. So I may have to re-install from source - openssl 1.0.0 - libcurl - git and try if the combination fixes the issue. Stay tuned...

(0009844) yann (manager) 2012-04-29 19:41	Hi, Is your problem still current ? If it's the case, could you run the command that failed with truss: truss -o /tmp/truss.out -f command and attach the truss output (truss.out) to this bug ? Yann

(0009852) zephyrus00jp (reporter) 2012-05-06 19:27	Sorry, I didn't notice this follow-up: I am on a business trip until 13 May, and once I get back. I will send the truss log output. As far as I can tell though, there was no easily-to-spot smoking gun. (Or that the log output between different versions seem to be different enough to make the comparison rather difficult. But again, someone familiar with curl and ssl code may be able to spot the strange part immediately.) TIA

(0009865) yann (manager) 2012-05-17 12:58	Hi zephyrus, Seems you didn't have the time to send the log yet :) For information, I just released openssl 1.0.1 in the unstable repository, but git need to be rebuilt with it so you can test if openssl is the problem. You may want to open a bug in our bugtracker in the git project.

(0009866) zephyrus00jp (reporter) 2012-05-17 18:30	Sorry, I will try the new built of libraries against your 1.0.1 ssl, thank you, over the weekend. (Got back from the trip but so many e-mails / tasks to catch up.).

(0010085) yann (manager) 2012-08-07 23:39	No news, good news ?

(0010100) yann (manager) 2012-08-26 12:39	Hi Zephyrus, I will soon close the bug. Keep updated if you have some more information. Don't worry, you can always open a new bug later if necessary. Yann

(0010154) yann (manager) 2012-10-02 21:38	I am closing this bug. Feel free to reopen a new one if necessary.

Relationships

OpenCSW Bug Tracker