[wp-trac] [WordPress Trac] #26010: SSL via `WP_Http_Curl` breaks on HTTP version mismatch

WordPress Trac noreply at wordpress.org
Fri Nov 15 08:02:12 UTC 2013 

#26010: SSL via `WP_Http_Curl` breaks on HTTP version mismatch
--------------------------+------------------------------
 Reporter:  soulseekah    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  HTTP          |     Version:  3.7
 Severity:  minor         |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by soulseekah):

 Replying to [comment:5 dd32]:
 > The problem is, that many servers out there do not respect the 6/7th
 set, and as a result, OpenSSL clients will generally not call a Shutdown-
 not-completed error as a critical error, and will continue to return the
 data.
 > In cURL 7.31.0 that was changed, and it treated any error as fatal. In
 addition to that, GnuTLS (a SSLv3-only client, which cURL can be compiled
 with instead of OpenSSL) doesn't like servers which violate that spec and
 fails those requests too.

 So Google's servers (https://www.google.de, https://www.youtube.com) are
 actually violating SSL shutdown procedures under HTTP/1.0?

 I can see slight variations in the closing traces (`--trace`) when
 requesting HTTP/1.0 versions, but the handshake is identical.

 HTTP/1.1
 {{{
 == Info: Connection #0 to host www.youtube.com left intact
 }}}

 HTTP/1.0
 {{{
 == Info: SSL read: error:00000000:lib(0):func(0):reason(0), errno 0
 == Info: Closing connection 0
 == Info: SSLv3, TLS alert, Client hello (1):
 => Send SSL data, 2 bytes (0x2)
 0000: 01 00                                           ..
 }}}

 I can't see the shutdown traces. Why is the connection left intact in
 HTTP/1.1? In later versions of cURL both HTTP/1.1 and HTTP/1.0 requests
 result in:

 {{{
 == Info: Closing connection 0
 == Info: SSLv3, TLS alert, Client hello (1):
 => Send SSL data, 2 bytes (0x2)
 0000: 01 00                                           ..
 }}}

 Any ideas? Was/is cURL violating shutdown procedures and not closing the
 connection? What happened when it did, isn't Google responding correctly?

 Github (which doesn't error out on 7.31.0 via HTTP/1.0) produces an
 identical trace:
 {{{
 == Info: Closing connection 0
 == Info: SSLv3, TLS alert, Client hello (1):
 => Send SSL data, 2 bytes (0x2)
 0000: 01 00                                           ..
 }}}

 Still puzzled a bit. Is that a `close_notify` from the client?

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26010#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list