-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
intermittent CURLE_SSL_CONNECT_ERROR (35) triggered by SEC_E_BUFFER_TOO_SMALL and SEC_E_MESSAGE_ALTERED in schannel for https on Windows 8.1 and below #5488
Comments
Any suggestion as where (in which documentation) we should add such a mention? Also, I would like to have it more specific than just "is unreliable on older Windows". In general we always recommend user to go with recent versions of everything rather than older, and if you get stuck on older Windows versions using schannel you're already not following that advice... |
Probably winbuild/BUILD.WINDOWS.txt . Perhaps there are other documents on how to build libcurl and why one would choose openssl, mbedtls, nghttp2, zlib, sspi, or not, and I never stumbled upon them. When reading the above document, I wondered why anybody would choose OpenSSL on Windows if the platform already had native support (in something called "sppi", whatever that means), thus simplifying the life of the developer. But now I know at least one reason. |
This strikes me as a corner case and I'm not convinced that we should note it. |
We could think about handling |
Users of libcurl on Windows who use schannel (the default) may want to use:
After adding the above, the test code above succeeds 1000/1000 times for me on Windows 8.1. The very wary coder might want to use CURLOPT_ERRORBUFFER and search the error buffer for SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED. |
I prefer we find and fix the problem in libcurl. |
I don't think there is a problem in libcurl. Schannel could certainly have a problem. I plan to put this in known issues unless anyone is going to work on it. |
curl-7.70, compiled with nmake mode=dll
Windows: 7 and 8.1, but not 10
I have observed on multiple Windows machines that https requests performed using curl_easy_perform will fail on occasion (on the order of 1/100 tries). The underlying error is a return value of SEC_E_BUFFER_TOO_SMALL (0x80090321) or SEC_E_MESSAGE_ALTERED (0x8009030) from InitializeSecurityContext.
I have been able to reproduce the intermittent failures on Windows 7 and Windows 8.1 machines. I have not been able to reproduce the issue on Windows 10. The problem reproduced when connecting to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS servers.
I think the bug is in Microsoft code. But perhaps a note should be added to users of libcurl that schannel is unreliable on older Windows.
The text was updated successfully, but these errors were encountered: