-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
--tcp-fastopen with https URLs cause SSL Protocol error #907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Ouch, after debugging this further, I realize there is no (easy) fix. |
So I figure the correct fix here (short term at least) is to make sure we don't try to do TFO with TLS enabled, right? |
The OS X implementation should work with TLS though (they have a saner API), and it shouldn't be too difficult to actually implement with OpenSSL (don't know about the other TLS libraries). Anyway, I can make a patch for disabling Linux TFO+TLS for now when I have a bit of time. |
Untested proof-of-concept https://github.com/ghedo/curl/commit/no_tfo_with_tls |
As TFO needs to be explicitly requested by the user. Wouldn't it be better to fail with a sensible error message, like "Not implemented yet."? |
There are other scenarios where TFO is requested but not actually used (e.g. the server doesn't support it) and we can't really do anything in those cases (not even print a warning) since it's handled transparently by the kernel, so I'd say this is a similar case. |
I agree with @ghedo, I think we just make it work for now. I have some questions I will address in the branch |
- Linux TFO + TLS is not implemented yet. Bug: #907
Since there is a release tomorrow (July 21) and since I'm unclear on the behavior of connectx (asked in the proposed PR) I've instead committed my own version which sidesteps the issue. Landed in 4ee2035. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@bagder in 2017 there have been some interesting changes, both in openssl and Linux kernel. The new socket flag — Does it make sense to revisit this issue now? |
@bagder Ah, so it has already been done. I quickly searched for "fastopen" in logs, didn't notice it was added under slightly different wording. In my defense — the consequences of this ticket (e.g. that curl couldn't use fast open with SSL on old kernels) have never been properly documented, so I just assumed that this ticket is the authority on issue. |
For some reason curl requests for https URLs with --tcp-fast-open
cause a SSL protocol error.
When doing tcpdump, I don't even see a connection attempt from curl, despite curl
claiming in verbose output it "Connected to" the host.
Without HTTPs, TFO works fine. Without TFO HTTPs works fine.
I did this
I expected the following (but with --tcp-fastopen)
curl/libcurl version
operating system
Ubuntu 16.04, amd64
The text was updated successfully, but these errors were encountered: