What is causing a delay in TLS handshake? - performance

Below is some output from curl --trace-time https://... which shows a 0.2 second delay in the middle of the TLS handshake. Any ideas on why this might be? I've tried with various cipher options and it persists. It also doesn't appear to be the result of something external (like a DNS lookup).
13:48:11.168371 * Connected to maas.its.iastate.edu (10.24.107.84) port 443 (#0)
13:48:11.168721 * SSLv3, TLS handshake, Client hello (1):
13:48:11.168761 } [data not shown]
13:48:11.183236 * SSLv3, TLS handshake, Server hello (2):
13:48:11.183348 { [data not shown]
13:48:11.183894 * SSLv3, TLS handshake, CERT (11):
13:48:11.183938 { [data not shown]
13:48:11.375841 * SSLv3, TLS handshake, Server finished (14):
13:48:11.375898 { [data not shown]
13:48:11.376106 * SSLv3, TLS handshake, Client key exchange (16):
13:48:11.376142 } [data not shown]
13:48:11.376203 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.376240 } [data not shown]
13:48:11.376334 * SSLv3, TLS handshake, Finished (20):
13:48:11.376369 } [data not shown]
13:48:11.392527 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.392585 { [data not shown]
13:48:11.392677 * SSLv3, TLS handshake, Finished (20):
13:48:11.392715 { [data not shown]
13:48:11.392788 * SSL connection using RC4-SHA
13:48:11.392825 * Server certificate: [cert details not shown]
13:48:11.393077 * SSL certificate verify ok.
13:48:11.393146 > GET /maas/example HTTP/1.1
13:48:11.409146 { [data not shown]
13:48:11.409438 * Closing connection #0

Run it under strace and use the -tt option:
http://linux.die.net/man/1/strace
Something like this:
strace -o /output/file -f -tt curl ...
The output will show you where the hang is - at least at the level of exactly what system call hangs.

This might be caused by a large certificate chain together with TCP slow start. See https://stackoverflow.com/a/29199493/3081018 for more details.

Related

HTTP request failing – but only when run through Cocoapods

I publish a pod with the following spec:
Pod::Spec.new do |s|
s.name = "AirTurnInterface"
s.version = "4.7.0-b.6"
s.summary = "snip"
s.description = "snip"
s.license = { :file => 'LICENSE', :type => 'AirTurn' }
s.homepage = "snip"
s.author = { "Nick Brook" => "snip#airturn.com" }
s.ios.deployment_target = "11.0"
s.frameworks = 'CoreBluetooth', 'GameController', 'Security', 'UIKit'
s.source = { :http => "https://airturn.com/framework/test/AirTurnInterface.#{s.version}.zip" }
s.vendored_frameworks = "Framework-dynamic/AirTurnInterface.xcframework"
end
This can be tested by putting the following in a file named test.podspec and running pod spec lint test.podspec.
Until recently, this worked fine. Now, running pod spec lint fails when downloading the zip with the error:
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
It also provides the curl command used:
/opt/homebrew/opt/curl/bin/curl -f -L -o /var/folders/9j/jqc5qhp922b7c8jhrvkh7h8m0000gn/T/d20221021-48752-1fqts5p/file.zip https://airturn.com/framework/test/AirTurnInterface.4.7.0-b.6.zip --create-dirs --netrc-optional --retry 2 -A 'CocoaPods/1.11.3 cocoapods-downloader/1.5.1'
The strange thing is, this command works when run directly, it only fails when run from Cocoapods (ruby). I've also tried just performing the command from a simple ruby script, which works fine. Something about Cocoapods is causing the command to fail. I've modified Cocoapods (gems/cocoapods-downloader-1.5.1/lib/cocoapods-downloader/http.rb) to pass -v to curl, which provides the following output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 35.209.185.188:443...
* Connected to airturn.com (35.209.185.188) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [187 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4039 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.airturn.com
* start date: Oct 5 00:07:55 2022 GMT
* expire date: Jan 3 00:07:54 2023 GMT
* subjectAltName: host "airturn.com" matched cert's "airturn.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* h2h3 [:method: GET]
* h2h3 [:path: /framework/test/AirTurnInterface.4.7.0-b.6.zip]
* h2h3 [:scheme: https]
* h2h3 [:authority: airturn.com]
* h2h3 [user-agent: 'CocoaPods/1.11.3 cocoapods-downloader/1.5.1']
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x15580f600)
} [5 bytes data]
> GET /framework/test/AirTurnInterface.4.7.0-b.6.zip HTTP/2
> Host: airturn.com
> user-agent: 'CocoaPods/1.11.3 cocoapods-downloader/1.5.1'
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host airturn.com left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
Forcing http1.1 with --http1.1 doesn't help:
curl: (52) Empty reply from server
I don't know what to try next to debug further!
It looks like the ZIP file is being returned using HTTP/1.1 instead of HTTP/2 which CocoaPods is requiring. Older versions of TLS are no longer supported on some platforms so I'd recommend updating your web server/host to a platform that is using a more modern TLS.

Why do I keep getting BUILD FAILURE when trying to install ruby 3.1.2 in Ubuntu 20.04 WSL2?

I've been trying to install ruby 3.1.2 on my ubunutu 20.04 WSL2 setup.
I get through installing rbenv, but when I try to install ruby I get stuck at the downloading ruby stage, and get a BUILD FAILED message.
I'm not sure what other info to provide, but please just ask and I will get anything I'm missing
bmcbride#G15:~$ rbenv -v
rbenv 1.2.0-16-gc4395e5
bmcbride#G15:~$ rbenv install 3.1.2 --verbose
/tmp/ruby-build.20220812150245.174.oXyOhQ ~
Downloading ruby-3.1.2.tar.gz...
-> https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.2.tar.gz
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
error: failed to download ruby-3.1.2.tar.gz
BUILD FAILED (Ubuntu 20.04 using ruby-build 20220726-1-ga753b24)
Inspect or clean up the working tree at /tmp/ruby-build.20220812150245.174.oXyOhQ
Results logged to /tmp/ruby-build.20220812150245.174.log
Last 10 log lines:
/tmp/ruby-build.20220812150245.174.oXyOhQ ~
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
EDIT:
RUBY_BUILD_CURL_OPTS="-0 --verbose" rbenv install 3.1.2 --verbose
/tmp/ruby-build.20220812195807.19239.iSYAyi ~
Downloading ruby-3.1.2.tar.gz...
-> https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.2.tar.gz
* Trying 151.101.109.178:443...
* TCP_NODELAY set
* Trying 2a04:4e42:1a::434:443...
* TCP_NODELAY set
* Immediate connect fail for 2a04:4e42:1a::434: Network is unreachable
* Connected to cache.ruby-lang.org (151.101.109.178) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2875 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.ruby-lang.org
* start date: Dec 24 19:42:27 2021 GMT
* expire date: Jan 25 19:42:26 2023 GMT
* subjectAltName: host "cache.ruby-lang.org" matched cert's "*.ruby-lang.org"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
* SSL certificate verify ok.
} [5 bytes data]
> GET /pub/ruby/3.1/ruby-3.1.2.tar.gz HTTP/1.0
> Host: cache.ruby-lang.org
> User-Agent: curl/7.68.0
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Connection: close
< Content-Length: 20553628
< x-amz-id-2: qUJXy341CDBFg3sNrJh4iAsIj8xlsKtR0W/6qHCp75BYVgRiO21fx6Nh+SEfYbgdaQJWHdyA608=
< x-amz-request-id: 3H67P45YZZZNY8HP
< Last-Modified: Tue, 12 Apr 2022 12:47:13 GMT
< ETag: "3fc61f350eef6c49644eb25f8189874f-3"
< x-amz-version-id: i9hhX3JvclyQw4rFW4_nNjUod9k991xX
< Content-Type: application/x-tar
< Server: AmazonS3
< Via: 1.1 varnish, 1.1 varnish
< Accept-Ranges: bytes
< Age: 1955
< Date: Fri, 12 Aug 2022 11:58:09 GMT
< X-Served-By: cache-iad-kcgs7200133-IAD, cache-tyo11941-TYO
< X-Cache: HIT, HIT
< X-Cache-Hits: 0, 0
< X-Timer: S1660305489.152710,VS0,VE1
<
{ [5 bytes data]
error: failed to download ruby-3.1.2.tar.gz
BUILD FAILED (Ubuntu 20.04 using ruby-build 20220726-1-ga753b24)
EDIT 2
output from forcing rbenv to run ipv4
bmcbride#X13:~$ RUBY_BUILD_CURL_OPTS="-4 --verbose" rbenv install 3.1.2 --verbose
/tmp/ruby-build.20220813083713.327.wrSpG1 ~
Downloading ruby-3.1.2.tar.gz...
-> https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.2.tar.gz
* Trying 146.75.113.178:443...
* TCP_NODELAY set
* Connected to cache.ruby-lang.org (146.75.113.178) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2875 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.ruby-lang.org
* start date: Dec 24 19:42:27 2021 GMT
* expire date: Jan 25 19:42:26 2023 GMT
* subjectAltName: host "cache.ruby-lang.org" matched cert's "*.ruby-lang.org"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5604c88fa8c0)
} [5 bytes data]
> GET /pub/ruby/3.1/ruby-3.1.2.tar.gz HTTP/2
> Host: cache.ruby-lang.org
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< x-amz-id-2: qUJXy341CDBFg3sNrJh4iAsIj8xlsKtR0W/6qHCp75BYVgRiO21fx6Nh+SEfYbgdaQJWHdyA608=
< x-amz-request-id: 3H67P45YZZZNY8HP
< last-modified: Tue, 12 Apr 2022 12:47:13 GMT
< etag: "3fc61f350eef6c49644eb25f8189874f-3"
< x-amz-version-id: i9hhX3JvclyQw4rFW4_nNjUod9k991xX
< content-type: application/x-tar
< server: AmazonS3
< via: 1.1 varnish, 1.1 varnish
< accept-ranges: bytes
< age: 1122
< date: Sat, 13 Aug 2022 00:37:12 GMT
< x-served-by: cache-iad-kcgs7200103-IAD, cache-nrt-rjtf7700030-NRT
< x-cache: HIT, HIT
< x-cache-hits: 0, 0
< x-timer: S1660351033.733568,VS0,VE1
< content-length: 20553628
<
{ [5 bytes data]
This may help:
https://learn.microsoft.com/en-us/windows/wsl/install-manual#step-4---download-the-linux-kernel-update-package
There's a kernel issue that causes big issues when you try to install the new Ruby on WSL. The above fixes it.

When using --negotiate with curl on windows, SSL/TLS handshake fails

When using --negotiate (or ntlm) with curl on windows, SSL/TSL handshake fails despite having a valid kerberos ticket cached on my windows 10 (shown below). The same logic and commands works without any issue in Unix/Linux. Any idea/help on how to resolve this issue?
Klist details:
$: Klist
Client: username # XXXX.XXX
Server: cifs/XXXXXXX.XXX # XXXXXXX.XXX
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags XXXXXX -> forwardable renewable pre_authent name_canonicalize
Start Time: 8/27/2020 9:46:36 (local)
End Time: 8/27/2020 19:46:33 (local)
Renew Time: 9/27/2020 9:46:33 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: XXXXXXXXX.XXX
curl command using ntlm or negotiate details:
>curl --ntlm -u : https://XXXXX.XXX -v
OR
>curl --negotiate -u : https://XXXXX.XXX -v
* Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xxxx.xxx (xx.xx.xx.xx) port xxx (#0)
* schannel: SSL/TLS connection with xxxx.xxx port xxx (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 186 bytes...
* schannel: sent initial handshake data: sent 186 bytes
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5120 length 5120
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 817
* schannel: encrypted data buffer: offset 5937 length 6144
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 6144
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with xxx.xxx port xxx (step 3/3)
* schannel: stored credential handle in session cache
> GET /login HTTP/1.1
> Host: xxx.xxx
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 915
* schannel: encrypted data buffer: offset 915 length 103424
* schannel: decrypted data length: 852
* schannel: decrypted data added: 852
* schannel: decrypted data cached: offset 852 length 102400
* schannel: encrypted data length: 34
* schannel: encrypted data cached: offset 34 length 103424
* schannel: decrypted data length: 5
* schannel: decrypted data added: 5
* schannel: decrypted data cached: offset 857 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 857 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 857
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 401
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Application-Context: Apixxxxx:x
< X-RateLimit-Limit-Api_login_anonymous: 1000
< X-RateLimit-Remaining-Api_login_anonymous: 999
< X-RateLimit-Reset-Apixxx_login_anonymous: 0
< X-xxxxx-xxx: xxxxx.xxx
< Date: Thu, 27 Aug 2020 19:50:12 GMT
< Expires: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Please login with your Windows account"
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=xxx ; includeSubDomains
< TraceId: 5f480e7427f78fd5406fcbef0abf8e6c
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
<
* Ignoring the response-body
* Connection #0 to host xxx.xxx left intact
* Issue another request to this URL: 'https://xxx.xxx/login'
* Found bundle for host xxx.xxx: 0xxxxxxxxx [can pipeline]
* Re-using existing connection! (#0) with host xxx.xxx
* Connected to xxx.xxx (xx.xx.xxx.xx) port xxx (#0)
* Server auth using Negotiate with user ' '
> GET /login HTTP/1.1
> Host: xxx.xxx
> Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 814
* schannel: encrypted data buffer: offset 814 length 103424
* schannel: decrypted data length: 751
* schannel: decrypted data added: 751
* schannel: decrypted data cached: offset 751 length 102400
* schannel: encrypted data length: 34
* schannel: encrypted data cached: offset 34 length 103424
* schannel: decrypted data length: 5
* schannel: decrypted data added: 5
* schannel: decrypted data cached: offset 756 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 756 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 756
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 401
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Application-Context: Apixxx:xxxxxxxxxxxxxxxx:x
< X-RateLimit-Limit-Apixxx_login_anonymous: 1000
< X-RateLimit-Remaining-Apixxx_login_anonymous: 999
< X-RateLimit-Reset-Apixxx_login_anonymous: 0
< X-XXXX-xxx: xxxx.xxx
< Date: Thu, 27 Aug 2020 19:50:12 GMT
< Expires: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=xxx ; includeSubDomains
< TraceId: xxxxxxxxxxxxxxxxxxxxxxxxxxx
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
<
* Connection #0 to host xxx.xxx left intact
>curl --version
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: [unreleased]
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL

Suppressing schannel output on Windows

I've been using cURL for a while now, though not upgrading the executable very often. I've noticed with v7.60 that when using -v to get the headers as well, I get a smattering of * schannel: messages in the prompt, so that it goes like this:
$ curl -vs "https://example.com"
* Rebuilt URL to: https://example.com/
* Trying 93.184.216.34...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 443 (#0)
* schannel: SSL/TLS connection with example.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 176 bytes...
* schannel: sent initial handshake data: sent 176 bytes
* schannel: SSL/TLS connection with example.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with example.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 14
* schannel: encrypted data buffer: offset 14 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with example.com port 443 (step 2/3)
* schannel: encrypted data got 817
* schannel: encrypted data buffer: offset 831 length 4096
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with example.com port 443 (step 2/3)
* schannel: encrypted data got 242
* schannel: encrypted data buffer: offset 242 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with example.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.60.0
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 1666
* schannel: encrypted data buffer: offset 1666 length 103424
* schannel: decrypted data length: 338
* schannel: decrypted data added: 338
* schannel: decrypted data cached: offset 338 length 102400
* schannel: encrypted data length: 1299
* schannel: encrypted data cached: offset 1299 length 103424
* schannel: decrypted data length: 1270
* schannel: decrypted data added: 1270
* schannel: decrypted data cached: offset 1608 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 1608 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 1608
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 05 Feb 2019 08:08:57 GMT
< Etag: "1541025663"
< Expires: Tue, 12 Feb 2019 08:08:57 GMT
< Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
< Server: ECS (dca/24C1)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1270
<
[HTML here]
Is there any way to suppress these messages so that -v still yields me the headers, and I can use > NUL to discard the response body, all without the SChannel noise?
To head off the obvious suggestion, -I won't work for me: I need to be able to send GET and other requests this way because my work involves investigating third-party servers that can (and have been known to) respond to HEAD differently.

SSL Client Authenticated Webservice on ruby SSLv3 read server certificate B: certificate verify failed

I'm trying to connect to a webservice that requires SSL Client Authentication using ruby 2.1.2 but
When I use the same client certificate (client_cert.pem) on curl I've got the right response:
curl 'https://mywebservice.xxx.com' --cert client_cert.pem --cacert mycacert.crt
When I verbose curl I can see the handshaking going on like this:
* Hostname was NOT found in DNS cache
* Trying 192.168.0.10...
* Connected to mywebservice.xxx.com (192.168.0.10) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* ...
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: mywebservice.xxx.com
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Date: Thu, 17 Jul 2014 12:50:26 GMT
* Server Apache/2.2.16 (Debian) is not blacklisted
< Server: Apache/2.2.16 (Debian)
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Wed, 31 Dec 1969 21:00:00 BRT
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/xml;charset=utf-8
<
<?xml version='1.0' encoding='UTF-8'?> .....the full xml response
That's what I needed, but then I've tried the same on ruby:
#ws_test.rb
require 'net/http'
require 'uri'
require 'openssl'
uri = URI.parse 'https://mywebservice.xxx.com/'
http = Net::HTTP.new(uri.host, 443)
http.use_ssl = true
http.ssl_version = :TLSv1
cert = OpenSSL::X509::Certificate.new(File.read("client_cert.pem"))
http.cert = cert
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.cert_store = OpenSSL::X509::Store.new
cacert = OpenSSL::X509::Certificate.new(File.read("mycacert.crt"))
http.cert_store.add_cert(cacert)
http.start do
http.request_get(uri.path) {|res|
print res.body
}
end
But on ruby I've got this problem:
/home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:852:in `start'
I've tried to change the verify_mode:
http.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
# same error
and
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# a different error: " SSL_read: ssl handshake failure (OpenSSL::SSL::SSLError"
I've solved it using the gem rest_client...
This is what I did:
require 'rest_client'
RestClient::Resource.new(
'https://mywebservice.xxx.com/',
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("client_cert.crt")),
:ssl_client_key => OpenSSL::PKey::RSA.new(File.read("client_cert.key")),
:ssl_ca_file => "mycacert.crt",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
).get

Resources