Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mbedTLS 3.6.0 breaks curl #13653

Closed
bagder opened this issue May 15, 2024 · 4 comments
Closed

mbedTLS 3.6.0 breaks curl #13653

bagder opened this issue May 15, 2024 · 4 comments

Comments

@bagder
Copy link
Member

bagder commented May 15, 2024

I did this

#13646 tried to upgrade the mbedTLS CI jobs to use version 3.6.0

This caused numerous failed CI jobs.

I expected the following

green builds

curl/libcurl version

curl master

operating system

on Linux, but probably a universal problem

@bagder bagder added the TLS label May 15, 2024
@jay
Copy link
Member

jay commented May 15, 2024

for the failed tests it looks as though stunnel server is sending a tls alert of bad certificate. (it's not clear to me if it's sending or receiving the alert)

https://github.com/curl/curl/actions/runs/9086442477/job/24972131840#step:35:1170

 2024.05.14 21:33:45 LOG5[ui]: stunnel 5.63 on x86_64-pc-linux-gnu platform
 2024.05.14 21:33:45 LOG5[ui]: Compiled/running with OpenSSL 3.0.2 15 Mar 2022
 2024.05.14 21:33:45 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
 2024.05.14 21:33:45 LOG5[ui]: Reading configuration from file /home/runner/work/curl/curl/tests/log/server/https_stunnel.conf
 2024.05.14 21:33:45 LOG5[ui]: UTF-8 byte order mark not detected
 2024.05.14 21:33:45 LOG5[ui]: FIPS mode disabled
 2024.05.14 21:33:45 LOG5[ui]: Configuration successful
 2024.05.14 21:33:45 LOG5[ui]: Binding service [curltest] to :::38897: Address already in use (98)
 2024.05.14 21:33:46 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:36328
 2024.05.14 21:33:46 LOG3[0]: SSL_accept: ../ssl/record/rec_layer_s3.c:1584: error:0A000412:SSL routines::sslv3 alert bad certificate
 2024.05.14 21:33:46 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

I can't reproduce in Linux however I did not copy the CI job configuration.

I built mbedtls like this:

curl -OL https://github.com/Mbed-TLS/mbedtls/releases/download/v3.6.0/mbedtls-3.6.0.tar.bz2
tar -xf mbedtls-3.6.0.tar.bz2
cd mbedtls-3.6.0/
LDFLAGS="-Wl,--enable-new-dtags -Wl,-rpath,/usr/local/lib" make SHARED=1
sudo make install

I built curl like LDFLAGS=... ./configure ... --enable-debug --without-openssl --with-mbedtls=/usr/local, make and then ran the full test suite, 100% ok.

@icing
Copy link
Contributor

icing commented May 31, 2024

Build with 3.6.0. First test failing is 300, log shows:

ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Opened issue at mbedTLS: Mbed-TLS/mbedtls#9210

Update: this seems to only fail for connections with verifypeer == FALSE and looks like a bug in mbedTLS TLSv1.3 handling of such a setup.

Update2: "We don't support disabling server authentication in TLS 1.3." 🤓

@icing
Copy link
Contributor

icing commented May 31, 2024

Made #13838 with workarounds to test fine locally. Let's see what CI says.

@jay
Copy link
Member

jay commented May 31, 2024

Made #13838 with workarounds to test fine locally. Let's see what CI says.

Thanks for looking into this. IMO these are mbedtls bugs and I think we should wait and see what they are going to do about them instead of patching curl. In other words, if they intend to fix the problems then I don't think the workarounds should go in. Hats off to you though for figuring some out. Also- I don't understand why curl passes all tests for me with 3.6.0 if it was intended behavior on their part.

@bagder bagder closed this as completed in 5f9017d Jun 4, 2024
jqyisbest added a commit to jqyisbest/ShellClash that referenced this issue Jun 16, 2024
鉴于近期curl中采用的mbedTLS 3.6.0可能导致curl无法正常工作(curl/curl#13653
jqyisbest added a commit to jqyisbest/ShellClash that referenced this issue Jun 16, 2024
鉴于近期curl中采用的[mbedTLS 3.6.0可能导致curl无法正常工作](curl/curl#13653
jqyisbest added a commit to jqyisbest/ShellClash that referenced this issue Jun 16, 2024
鉴于近期curl中采用的[mbedTLS 3.6.0可能导致curl无法正常工作](curl/curl#13653
jqyisbest added a commit to jqyisbest/ShellClash that referenced this issue Jun 16, 2024
鉴于近期curl中采用的mbedTLS 3.6.0可能导致curl无法正常工作(curl/curl#13653
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 18, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam codes, see
curl/curl@0c4b4c1
and curl/curl@5f9017d
This snapshot contains all the commits above.

Fixes openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 18, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam codes, see
curl/curl@0c4b4c1 and curl/curl@5f9017d
This snapshot contains all the commits above.

Fixes openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 20, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 21, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
sergio-nsk pushed a commit to snxd/curl that referenced this issue Jul 9, 2024
- add special sauce to disable unwanted peer verification by mbedtls
  when negotiating TLS v1.3
- add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
  return code on *writing* TLS data. We assume the data had not been
  written and EAGAIN.
- return correct Curl error code when peer verification failed.
- disable test_08_05 with 50 HTTP/1.1 connections, as mbedtls reports a
  memory allocation failed during handshake.
- bump CI mbedtls version to 3.6.0

Fixes curl#13653
Closes curl#13838
liudf0716 pushed a commit to liudf0716/packages that referenced this issue Jul 10, 2024
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants