Skip to content

mbedTLS 3.6.0 breaks curl #13653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder opened this issue May 15, 2024 · 4 comments
Closed

mbedTLS 3.6.0 breaks curl #13653

bagder opened this issue May 15, 2024 · 4 comments
Labels
KNOWN_BUGS material TLS

Comments

@bagder
Copy link
Member

bagder commented May 15, 2024

I did this

#13646 tried to upgrade the mbedTLS CI jobs to use version 3.6.0

This caused numerous failed CI jobs.

I expected the following

green builds

curl/libcurl version

curl master

operating system

on Linux, but probably a universal problem
@bagder bagder added the TLS label May 15, 2024
@jay
Copy link
Member

jay commented May 15, 2024
edited
Loading

for the failed tests it looks as though stunnel server is sending a tls alert of bad certificate. (it's not clear to me if it's sending or receiving the alert)

https://github.com/curl/curl/actions/runs/9086442477/job/24972131840#step:35:1170

 2024.05.14 21:33:45 LOG5[ui]: stunnel 5.63 on x86_64-pc-linux-gnu platform
 2024.05.14 21:33:45 LOG5[ui]: Compiled/running with OpenSSL 3.0.2 15 Mar 2022
 2024.05.14 21:33:45 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
 2024.05.14 21:33:45 LOG5[ui]: Reading configuration from file /home/runner/work/curl/curl/tests/log/server/https_stunnel.conf
 2024.05.14 21:33:45 LOG5[ui]: UTF-8 byte order mark not detected
 2024.05.14 21:33:45 LOG5[ui]: FIPS mode disabled
 2024.05.14 21:33:45 LOG5[ui]: Configuration successful
 2024.05.14 21:33:45 LOG5[ui]: Binding service [curltest] to :::38897: Address already in use (98)
 2024.05.14 21:33:46 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:36328
 2024.05.14 21:33:46 LOG3[0]: SSL_accept: ../ssl/record/rec_layer_s3.c:1584: error:0A000412:SSL routines::sslv3 alert bad certificate
 2024.05.14 21:33:46 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

I can't reproduce in Linux however I did not copy the CI job configuration.

I built mbedtls like this:

curl -OL https://github.com/Mbed-TLS/mbedtls/releases/download/v3.6.0/mbedtls-3.6.0.tar.bz2
tar -xf mbedtls-3.6.0.tar.bz2
cd mbedtls-3.6.0/
LDFLAGS="-Wl,--enable-new-dtags -Wl,-rpath,/usr/local/lib" make SHARED=1
sudo make install

I built curl like LDFLAGS=... ./configure ... --enable-debug --without-openssl --with-mbedtls=/usr/local, make and then ran the full test suite, 100% ok.

@icing icing mentioned this issue May 31, 2024
Closed
@icing
Copy link
Contributor

icing commented May 31, 2024
edited
Loading

Build with 3.6.0. First test failing is 300, log shows:

ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Opened issue at mbedTLS: Mbed-TLS/mbedtls#9210

Update: this seems to only fail for connections with verifypeer == FALSE and looks like a bug in mbedTLS TLSv1.3 handling of such a setup.

Update2: "We don't support disabling server authentication in TLS 1.3." 🤓

@icing
Copy link
Contributor

icing commented May 31, 2024

Made #13838 with workarounds to test fine locally. Let's see what CI says.

@jay
Copy link
Member

jay commented May 31, 2024
edited
Loading

Made #13838 with workarounds to test fine locally. Let's see what CI says.

Thanks for looking into this. IMO these are mbedtls bugs and I think we should wait and see what they are going to do about them instead of patching curl. In other words, if they intend to fix the problems then I don't think the workarounds should go in. Hats off to you though for figuring some out. Also- I don't understand why curl passes all tests for me with 3.6.0 if it was intended behavior on their part.

@bagder bagder closed this as completed in 5f9017d Jun 4, 2024
@jqyisbest jqyisbest mentioned this issue Jun 16, 2024
Closed
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 18, 2024
@Ra2-IFV
curl: Temporarily update to 8.9.0-20240618 snapshot
bb124d4 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam codes, see
curl/curl@0c4b4c1
and curl/curl@5f9017d
This snapshot contains all the commits above.

Fixes openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 18, 2024
@Ra2-IFV
curl: Temporarily update to 8.9.0-20240618 snapshot
2716f26 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam codes, see
curl/curl@0c4b4c1 and curl/curl@5f9017d
This snapshot contains all the commits above.

Fixes openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
@Ra2-IFV Ra2-IFV mentioned this issue Jun 18, 2024
Merged
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
@Ra2-IFV
curl: upstream backports for mbedtls
5fd761e 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
@Ra2-IFV
curl: upstream backports for mbedtls
29a6022 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 19, 2024
@Ra2-IFV
curl: upstream backports for mbedtls
d97d07c 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 20, 2024
@Ra2-IFV
curl: upstream backports for mbedtls
e5849fd 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Ra2-IFV added a commit to Ra2-IFV/openwrt-packages that referenced this issue Jun 21, 2024
@Ra2-IFV
curl: upstream backports for mbedtls
da0a3ba 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
sergio-nsk pushed a commit to snxd/curl that referenced this issue Jul 9, 2024
@icing @sergio-nsk
mbedtls: v3.6.0 workarounds
dc43249 
- add special sauce to disable unwanted peer verification by mbedtls
  when negotiating TLS v1.3
- add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
  return code on *writing* TLS data. We assume the data had not been
  written and EAGAIN.
- return correct Curl error code when peer verification failed.
- disable test_08_05 with 50 HTTP/1.1 connections, as mbedtls reports a
  memory allocation failed during handshake.
- bump CI mbedtls version to 3.6.0

Fixes curl#13653
Closes curl#13838
liudf0716 pushed a commit to liudf0716/packages that referenced this issue Jul 10, 2024
@Ra2-IFV @liudf0716
curl: upstream backports for mbedtls
b57c9b9 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
pschmitt pushed a commit to pschmitt/packages that referenced this issue Feb 20, 2025
@Ra2-IFV @pschmitt
curl: upstream backports for mbedtls
e642e69 
tlsv1.3 support is broken in curl 8.8.0 with mbedtls 3.6.0.
See curl/curl#13653 and Mbed-TLS/mbedtls#9210 for more details.
A workaround was implemented in upsteam code, see curl/curl@0c4b4c1 and curl/curl@5f9017d
This commit includes patches generated from upstream commits.

fix openwrt#24365 openwrt#24386

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
KNOWN_BUGS material TLS
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @jay