Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upError 35 when running curl with --tlsv1.2 option (Curl version 7.62.0) #3261
Comments
|
Odd, I don't see any obvious changes since release but testing this on todays HEAD seems to work. |
|
I think |
|
This is still broken in the current nightly build: Anything I can try to debug this? |
|
As a comparison, here's my local NSS build: curl 7.63.0-DEV (x86_64-pc-linux-gnu) libcurl/7.63.0-DEV NSS/3.39 zlib/1.2.11 brotli/1.0.7 c-ares/1.14.0 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) nghttp2/1.34.0 librtmp/2.3
Probably by single-stepping through |
|
It's failing in It works for me with 7.61.1 by the way. |
|
@pghmcfc is that perhaps because your version doesn't like TLS 1.3 as "max" ? Can you check if that's the case with a patch like: --- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1777,11 +1777,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
CURLcode result;
bool second_layer = FALSE;
SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
-#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+#ifdef xxxSSL_LIBRARY_VERSION_TLS_1_3
SSL_LIBRARY_VERSION_TLS_1_3 /* max */
#else
SSL_LIBRARY_VERSION_TLS_1_2
#endif
}; |
|
@bagder yes that's it. NSS in RHEL-7 is built with TLS 1.3 disabled: |
|
Of course they do! :-( Ok so we need to add some logic and see if we can make NSS agree to a lesser max version. |
NSS may be built without support for the latest SSL/TLS versions, leading to "SSL version range is not valid" errors when the library code supports a recent version (e.g. TLS v1.3) but it has explicitly been disabled. This change adjusts the maximum SSL version requested by libcurl to be the maximum supported version at runtime, as long as that version is at least as high as the minimum version required by libcurl. Fixes curl#3261
|
@badger, that didn't work (for reasons I can't quite fathom from looking at the code) but see #3337 for what I think is a cleaner fix, which works for me. This gets the highest supported version from NSS and uses that if it's lower than the current maximum and not less than the minimum required version. |
NSS may be built without support for the latest SSL/TLS versions, leading to "SSL version range is not valid" errors when the library code supports a recent version (e.g. TLS v1.3) but it has explicitly been disabled. This change adjusts the maximum SSL version requested by libcurl to be the maximum supported version at runtime, as long as that version is at least as high as the minimum version required by libcurl. Fixes curl#3261
I did this
Run curl from command line with --tlsv1.2 option.
curl "https://github.com/curl/curl/issues/new" --tlsv1.2results in error 35:
curl: (35) SSL version range is not valid.I expected the following
I expected the same result as running curl on the same url without "--tlsv1.2" option, which means:
curl/libcurl version
curl 7.62.0 (x86_64-redhat-linux-gnu) libcurl/7.62.0 NSS/3.36 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.8.0 nghttp2/1.31.1
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy PSL Metalink
operating system
CentOS Linux release 7.5.1804 (Core)
other info
This doesn't apply to curl version 7.61.0. Downgrading curl to 7.61 recovers functionality.