-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"--tls1.2" flag causes connection to fail in macOS starting with curl 7.54.0 #1703
Comments
how are you building curl with darwin ssl can you show me the actual config line and make line |
Built and installed as follows:
|
ok. would you mind running an automated bisect? it should take very little of your time. here is the bisect script: #!/bin/bash
# Sample script to run an automated bisect.
#
# Refer to https://github.com/curl/curl/wiki/how-to-git-bisect
#
# Put this file in the curl repo as a.sh
#
# git bisect start master curl-7_53_1
# git bisect run ./a.sh
# if git clean fails then bisect skip
# warning: this removes all untracked directories and files except a.sh
# enable if you experience unexplained autotools build problems
#git clean -fdx -e a.sh || exit 125
# if buildconf fails then bisect skip
./buildconf || exit 125
# if configure fails then bisect skip
./configure --disable-shared \
--enable-debug \
--enable-maintainer-mode \
--with-darwinssl \
|| exit 125
# if make fails then bisect skip
make || exit 125
# if curl version fails then bisect skip
src/curl -V || exit 125
# Test for issue 1703:
# "--tls1.2" flag causes connection to fail in macOS starting with curl 7.54.0
# https://github.com/curl/curl/issues/1703
#
# if curl fails due to error 35 (unsupported max version) then bisect bad
# if curl fails due to a different error then bisect skip
src/curl --tlsv1.2 https://tlstest.paypal.com/
rc=$?
if (( $rc == 35 )); then exit 1; elif (( $rc != 0 )); then exit 125; fi
# bisect good
exit 0 |
I ran the bisect, but unfortunately there were a chunk of commits that couldn't be tested because of the following compilation error:
Here's the final output:
If I can figure out how to fix the compilation error then I can re-run the bisect. |
I believe this little fix is all that's needed: --- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1073,11 +1073,12 @@ CF_INLINE bool is_file(const char *filename)
return S_ISREG(st.st_mode);
return false;
}
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
-static CURLcode darwinssl_version_from_curl(long *darwinver, long ssl_version)
+static CURLcode darwinssl_version_from_curl(SSLProtocol *darwinver,
+ long ssl_version)
{
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_0:
*darwinver = kTLSProtocol1;
return CURLE_OK; |
... which made --tlsv1.2 not work because it would blank the max tls version variable. Reported-by: Nick Miyake Bug: #1703
Thanks, this patch allowed me to run the bisect to completion! Here's the result of the bisect:
I also confirmed manually that the commit immediately before this (with the patch applied) does work correctly. For future reference, I had to modify the patch slightly to get it to apply using
|
i'm confused , does @bagder's patch fix the issue, I thought the problem was someone had it deref to a long instead of an int |
Sorry, a few different things going on here...
I did not try applying the patch to the latest commit(s) that compile but produce incorrect behavior. |
Without the patch, the code blanks the |
since @nmiyake has confirmed this patch fixes the problem and it has been pushed already, I suppose we can close this now? |
I never applied the patch on top of any versions that compiled but didn't work -- I can try that now to verify. |
Ah, yes please do. I personally tried on the current git master and it works for me with this applied. |
Confirmed that issue is resolved in latest |
thanks guys |
The command
curl --tlsv1.2 https://tlstest.paypal.com/
works in curl 7.53.1 but does not work in curl 7.54.0 or later when built with SecureTransport. Tested on macOS Sierra 10.12.6 (16G29).curl
version from 7.51.0 to 7.54.0, so this behavior regresses when updating from macOS 10.12.5 to 10.12.6--tlsv1.2
flag and callingcurl https://tlstest.paypal.com/
works in all cases7.53.1-DEV (built locally; works)
curl -V && curl --tlsv1.2 https://tlstest.paypal.com/
:7.54.0 (included in macOS Sierra 10.12.6; does not work)
curl -V && curl --tlsv1.2 https://tlstest.paypal.com/
:7.54.1-DEV (built locally; does not work)
curl -V && curl --tlsv1.2 https://tlstest.paypal.com/
:7.54.1 (installed using
brew
; works)curl -V && curl --tlsv1.2 https://tlstest.paypal.com/
:The text was updated successfully, but these errors were encountered: