Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple Secure Transport: ignore errSSLPeerAuthCompleted if CURLOPT_SSL_VERIFYPEER is 0 #3932

Closed
smuellerDD opened this issue May 23, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@smuellerDD
Copy link

commented May 23, 2019

I did this

my code contains:
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);

I use curl with Apple Secure Transport.

During the handshake SSLRead returns -9841 which translates into https://developer.apple.com/documentation/security/1503828-secure_transport_result_codes/errsslpeerauthcompleted

Curl terminates the connection due to SSLRead returned an error. The select call in the function sectransp_recv chooses the "default" entry.

I expected the following

I would presume that this return code is expected when CURLOPT_SSL_VERIFYPEER is set to 0.

Thus, curl should gracefully accept that return code with CURLOPT_SSL_VERIFYPEER set to 0.

curl/libcurl version

7.54

However, the issue seems to be present in the current GIT HEAD.

operating system

macOS 10.14.5

@bagder bagder added the SSL/TLS label May 23, 2019

@bagder

This comment has been minimized.

Copy link
Member

commented May 23, 2019

Clearly the code doesn't expect -9841 to be returned from SSLRead() but has code for it when returned from SSLHandshake():

curl/lib/vtls/sectransp.c

Lines 2371 to 2377 in 0edf690

case -9841:
if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
BACKEND->ssl_ctx);
if(res != CURLE_OK)
return res;
}

Is this perhaps a renegotiation or something? @nickzman, do you have any thoughts?

The error code is documented as:

A non-fatal result indicating the peer certificate is valid, or was ignored if verification is disabled.

Does this imply we should just call the function again?

@smuellerDD

This comment has been minimized.

Copy link
Author

commented May 23, 2019

bagder added a commit that referenced this issue May 23, 2019

sectransp: handle errSSLPeerAuthCompleted from SSLRead()
Reported-by: smuellerDD on github
Fixes #3932
@bagder

This comment has been minimized.

Copy link
Member

commented May 23, 2019

If you can reproduce this case, can you try #3933 ? I couldn't try it out, I just wrote it "blindly".

@bagder bagder closed this in 5c9b2e6 May 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.