-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: don't log raw record headers #10299
Conversation
As stated in the comment, we should log only interesting records and "skip all raw record headers (content_type == SSL3_RT_HEADER)", but that is never checked. This patch fixes that and prevents useless TLS record headers from spamming the curl verbose output.
The comment you are referring to came from #3281 and I think may have been made by mistake. @Lekensteyn wrote: Lines 2720 to 2728 in c12fb3d
Probably he meant |
The suggested code looks correct to me. We could probably improve the comment and commit message while at it. See this diff in the verbose output without and with this patch below. The status messages @@ -1,97 +1,64 @@
$ src/curl -svo /dev/null https://mirror.nl.leaseweb.net/speedtest/10mb.bin
* Trying [2001:1af8:4700:b210::33]:443...
* Connected to mirror.nl.leaseweb.net (2001:1af8:4700:b210::33) port 443 (#0)
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
-* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
-* TLSv1.2 (IN), TLS header, Certificate Status (22):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
-* TLSv1.2 (OUT), TLS header, Finished (20):
-} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
-* TLSv1.2 (OUT), TLS header, Certificate Status (22):
-} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
-* TLSv1.2 (IN), TLS header, Finished (20):
-{ [5 bytes data]
-* TLSv1.2 (IN), TLS header, Certificate Status (22):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [187 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4785 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
-* TLSv1.2 (OUT), TLS header, Supplemental data (23):
-} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=mirror.leaseweb.com
* start date: Dec 14 11:30:38 2022 GMT
* expire date: Mar 14 11:30:37 2023 GMT
* subjectAltName: host "mirror.nl.leaseweb.net" matched cert's "mirror.nl.leaseweb.net"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
-* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET /speedtest/10mb.bin HTTP/1.1
> Host: mirror.nl.leaseweb.net
> User-Agent: curl/7.87.1-DEV
> Accept: */*
>
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx
-< Date: Sun, 15 Jan 2023 23:22:17 GMT
+< Date: Sun, 15 Jan 2023 23:23:04 GMT
< Content-Type: application/octet-stream
< Content-Length: 10000000
< Last-Modified: Mon, 08 Aug 2011 22:26:16 GMT
< Connection: keep-alive
< ETag: "4e406288-989680"
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Accept-Ranges: bytes
<
{ [16029 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
-<... elided 1214 lines ...>
-* TLSv1.2 (IN), TLS header, Supplemental data (23):
-{ [5 bytes data]
* Connection #0 to host mirror.nl.leaseweb.net left intact |
I think that the comment is right. There are two conditions according to the comment:
I only checked for
Then further in NOTES we have:
Somehow this version must have become non-zero for the There might be a bug in OpenSSL, but the workaround in this PR looks good. We can dig deeper to find the cause and try to include that in the commit message. |
Yes, these excessive logs came after upgrading to openssl 3.0.x. True, in openssl 1.1.1,
And it is no longer the case for openssl 3.0:
git blame shows that the second-to-last line came from this commit: openssl/openssl@fcc3a52 |
Thanks |
- Skip content type SSL3_RT_HEADER in verbose TLS output. This commit prevents bogus and misleading verbose TLS header messages as discussed in curl#10299. Assisted-by: Peter Wu Closes curl#10299
As stated in the comment:
curl/lib/vtls/openssl.c
Lines 2696 to 2699 in 6113dec
We should skip TLS record headers (content_type == SSL3_RT_HEADER), but that is never checked.
This patch fixes that and prevents useless TLS record headers from spamming the curl verbose output.
E.g., running a long-running
curl -v
will have the following two lines spamming the console and clobbering the progress meter: