CJ Ess | 26 Jun 02:37 2016
Picon

Choosing http/1.1 over http/2 in Curl

I've built a new curl binary with http/2 support:

curl 7.49.1 (x86_64-pc-linux-gnu) libcurl/7.49.1 OpenSSL/1.0.2h nghttp2/1.11.1
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP HTTP2 UnixSockets

I've found that if the server offers h2 then curl uses it, regardless if --http2 or --no-http2 is present on the command line (neither option causes an error, but there is no difference in behavior).

There is a -0 option for http/1.0 (which I'm using as a workaround) but there is no option for http/1.1

Is there a method for forcing http/1.1 that maybe I've overlooked?

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
GNUser | 23 Jun 00:53 2016

Does curl provide any "sensitive information" when using socks proxy?


Hey guys,

Like the title says, I am worried what informations are given by curl
when making a download. I am thinking about which OS I am using,
software version, real IP address, DNS leaks, etc.
I am quite happy with the use of curl, and from what I have seen the
proxy connection is safe, but I am worried that some info might be
disclosed to the server (whatever server I am downloading from).
Any help greatly appreciated :)
Thanks in advance.

GNUser

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Jeffrey Smith | 14 Jun 21:29 2016
Picon
Gravatar

curl is blocking the signal handler in shell script

Quick question about some behavior that has blocked my implementation with curl on a project.

I have a Unix ksh shell script that is using curl to invoke a Java Spring Batch job on a server.  curl of course waits for that job to finish, say 10 minutes.  But our enterprise scheduling system has the ability to send a signal 15 to that shell script to tell it to gracefully exit.  What I have done before is to set a trap for 15 and register another shell script function to then do another curl call into the JVM to tell it to STOP the running job gracefully.  All of that works fine with just using 2 windows with 2 curl commands.

But when I try to use the signal handler in the shell script, the first curl is somehow blocking the scripts ability to see and act on that signal.  As soon as the first curl command comes back, THEN the function is invoked on the signal instead of invoking it immediately as has happened in other techniques like I have done before.

Does this behavior sound right for curl?  Is there an option or anything I can do to stop curl from blocking my scripts ability to detect and act on a signal?

Thanks,
Jeff
--

Sent from mobile GMail on Samsung Note 4-Pardon my brevity

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Sourin Maiti | 9 Jun 16:50 2016
Picon

Async operation timed out

Hi All,

I am facing some issues with curl POST xml. What could be the issue?

curl -X POST http://xx.xx.127.109:33322/AirService/AirShop -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: t 'SOAPAction: "http://localhost:9080/AirService/AirShop"' -H 'TransactionID: asdfghjklpoiuyt' -H 'Content-Length: 2541' -H 'Host: xx.xx.127.109:33322' -H 'Proxy-Connection: Keep-Alive' -H 'User-Agent: Apache-HttpClient/4.1.1 (java 1.5)' -d <at> Sample.xml

Response:

Async operation timed out

With these headers, I am getting valid response on SoapUI tool. I have verified I have telnet access to this IP and port from the linux server where I am trying the request.

--
with regards,
Sourin Maiti
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Christien Groff | 6 Jun 16:54 2016

curl --version tells me the release is DEV?

I downloaded the curl-7_49_1 tag on April 1 I believe. I have compiled it with openssl and libssh2 for Windows. When I do “curl –version” at the command prompt, the following is reported:

 

curl 7.49.1-DEV (i386-pc-win32) libcurl/7.49.1-DEV OpenSSL/1.0.2h libssh2/1.7.0

Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp

Features: AsynchDNS Largefile NTLM SSL

 

Any idea why libcurl is reporting as DEV and why the overall version is reporting is DEV? I am wondering if I made an error in my compilation. I used Visual Studio 2015 and I did choose a DLL release version.

 

Thanks in advance for any help.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Kamil Dudka | 6 Jun 10:05 2016
Picon
Gravatar

Re: Fwd: curl says the certificate CN does not match the host name while it is

On Monday, June 06, 2016 01:21:52 Daniel Savard wrote:
> 2016-06-03 4:20 GMT-04:00 Kamil Dudka <kdudka <at> redhat.com>:
> > On Thursday, June 02, 2016 16:59:17 Daniel Savard wrote:
> > 
> > Have you checked that upgrading (lib)curl to a new version fixes the
> > problem?
> > 
> > I am not aware of any related fix in the NSS backend of libcurl...
> > 
> I think the version I am using is checking more than just the CN/fqdn as
> displayed in the message and issue an ambiguous message on an error
> condition that may not be related to what the message is exactly saying.

In any case, the subject name checking is not implemented in (lib)curl but 
directly in NSS.  So you should rather check which version of NSS you are 
using.

Kamil

> Regards,
> Daniel
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Daniel Savard | 2 Jun 22:59 2016
Picon

Fwd: curl says the certificate CN does not match the host name while it is

Hi,

I am running curl on a RHEL 6 with curl 4.19.7 and I am getting the following strange error:

$ curl -v --cacert "./mycastore" https://my.host.name:1043/apps/app1/index.html
* About to connect() to my.host.name port 1043 (#0)
*   Trying 10.217.89.10... connected
* Connected to my.host.name (10.217.89.10) port 1043 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ./mycastore
  CApath: none
* SSL: certificate subject name 'my.host.name' does not match target host name 'my.host.name'
* NSS error -12276
* Closing connection #0
curl: (51) SSL: certificate subject name 'my.host.name' does not match target host name 'my.host.name'

After searching the mailing list I found these:
        https://curl.haxx.se/mail/lib-2014-03/0049.html
        https://curl.haxx.se/mail/lib-2014-03/0051.html#start

The recommendation is to upgrade to a newer version. However, since I have absolutely no control over the OS version and packages on this server, I cannot use a newer version. Anyone has already encountered and solved this problem otherwise than by a software upgrade?

TIA
Daniel
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Daniel Stenberg | 30 May 08:32 2016
Picon
Gravatar

[RELEASE] curl and libcurl 7.49.1 is out!

Hi team!

We decided we needed to ship a patch release to fix some of the mistakes that 
slipped into the previous release, and when doing this we also include a 
security fix for CVE-2016-4802 so check that out!

As always, download curl from:

   https://curl.haxx.se/

Curl and libcurl 7.49.1

  Public curl releases:         155
  Command line options:         185
  curl_easy_setopt() options:   224
  Public functions in libcurl:  61
  Contributors:                 1404

This release includes the following bugfixes:

  o Windows: prevent DLL hijacking, CVE-2016-4802 [11]
  o dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md [1]
  o schannel: fix compile break with MSVC XP toolset [2]
  o curlbuild.h.dist: check __LP64__ as well to fix MIPS build [3]
  o dist: include curl_multi_socket_all.3 [4]
  o http2: use HTTP/2 in the HTTP/1.1-alike response
  o openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
  o CURLOPT_CONNECT_TO.3: user must not free the list prematurely [5]
  o libcurl.m4: Avoid obsolete warning [6]
  o winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity [7]
  o curl_multibyte: fix compiler error
  o openssl: cleanup must free compression methods (memory leak) [8]
  o mbedtls: fix includes so snprintf() works [9]
  o checksrc.pl: Added variants of strcat() & strncat() to banned function list
  o contributors.sh: better grep pattern and show GitHub username [10]
  o ssh: fix build for libssh2 before 1.2.6 [12]
  o curl_share_setopt.3: Add min ver needed for ssl session lock [13]

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

   Alexander Traud, Daniel Stenberg, Gisle Vanem, Jan Ehrhardt,
   jveazey on github, Marcel Raad, Michael Kaufmann, Michael Wallner,
   Moti Avrahami, Paul Howarth, Ray Satiro, Steve Holme, Tomas Jakobsson,
   (13 contributors)

         Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

  [1] = https://curl.haxx.se/mail/lib-2016-05/0113.html
  [2] = https://curl.haxx.se/bug/?i=812
  [3] = https://curl.haxx.se/bug/?i=813
  [4] = https://curl.haxx.se/bug/?i=816
  [5] = https://curl.haxx.se/bug/?i=819
  [6] = https://curl.haxx.se/bug/?i=821
  [7] = https://curl.haxx.se/bug/?i=818
  [8] = https://curl.haxx.se/bug/?i=817
  [9] = https://curl.haxx.se/mail/lib-2016-05/0196.html
  [10] = https://curl.haxx.se/bug/?i=824
  [11] = https://curl.haxx.se/docs/adv_20160530.html
  [12] = https://curl.haxx.se/bug/?i=831
  [13] = https://github.com/curl/curl/issues/826

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Sam Kuper | 28 May 18:36 2016
Picon
Gravatar

cURL and Iceweasel disagree about TLS certificate validity, despite same CA

Dear all,

I am new to this mailing list. I have a question, relating to cURL,
that I posted on the "Unix & Linux Stack Exchange":
https://unix.stackexchange.com/q/286122 . However, I think perhaps it
is also of interest to those on this mailing list, so I have copied it
below. If you disagree with my cross-posting, please tell me so, and
accept my apologies. Thank you!

- spk

On Debian Jessie 8.4 GNU/Linux, I am experiencing a certificate
validation inconsistency between
[Iceweasel](https://en.wikipedia.org/wiki/Iceweasel) (Debian's
derivative of Firefox) and [cURL](https://en.wikipedia.org/wiki/CURL)
in relation to the URL https://profile.mensa.org.uk/contact.aspx .

### Iceweasel

Visiting https://profile.mensa.org.uk/contact.aspx using Iceweasel
results in no errors or warnings. Clicking on the padlock icon at the
left of the address bar, and then clicking the "More Information..."
button, yields a window saying, among other things:

> **Web Site Identity**
> Web site: **profile.mensa.org.uk**
> Owner: **This web site does not supply ownership information.**
> Verified by: **GeoTrust Inc.**

Clicking the "View Certificate" button yields a window with two tabs,
"General" and "Details". The General tab says:

> **This certificate has been verified for the following uses:**
> SSL Client Certificate
> SSL Server Certificate
> **Issued To**
> Common Name (CN) profile.mensa.org.uk
> Organisation (O) <Not Part Of Certificate>
> Organisational Unit (OU) GT91227394
> Serial Number 06:26:4F
> **Issued By**
> Common Name (CN) RapidSSL SHA256 CA - G3
> Organisation (O) GeoTrust Inc.
> Organisational Unit (OU) <Not Part Of Certificate>
> **Period of Validity**
> Begins On 05/08/15
> Expires On 06/09/16
> **Fingerprints**
> SHA-256 Fingerprint 9C:F3:D7:B8:96:D6:A5:BC:98:9E:F0:DE:26:63:BD:17:C5:29:24:C9:02:A9:90:D3:A5:49:AB:10:5D:E8:C0:3C
> SHA1 Fingerprint

Clicking on the Details tab shows a three-level hierarchy in the
Certificate Hierarchy field:

    GeoTrust Global CA
      RapidSSL SHA256 CA - G3
        profile.mensa.org.uk

Selecting the `GeoTrust Global CA` item in that field, then clicking
the "Export..." button, and then saving as the file
`~/Documents/organisations/mensa/geotrust_global_ca.pem` works as
expected. Here is the fingerprint:

    $ openssl x509 -noout -in
~/Documents/organisations/mensa/geotrust_global_ca.pem -fingerprint
    SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

Let's compare this with cURL.

### cURL

Visiting https://profile.mensa.org.uk/contact.aspx using cURL results
in a certificate error. Here is the verbose output, attempting to
fetch only header information:

    $ curl -v --head https://profile.mensa.org.uk/contact.aspx
    * Hostname was NOT found in DNS cache
    *   Trying 93.159.201.114...
    * Connected to profile.mensa.org.uk (93.159.201.114) port 443 (#0)
    * successfully set certificate verify locations:
    *   CAfile: none
      CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS alert, Server hello (2):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.

cURL works OK for this URL over HTTP, and also for other domains over HTTPS:

    $ curl --head http://profile.mensa.org.uk/contact.aspx
    HTTP/1.1 302 Found
    Date: Sat, 28 May 2016 14:30:56 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 4.0.30319
    Location: /login.aspx?target=%2fcontact.aspx
    Set-Cookie: ASP.NET_SessionId=axylcyf2cep2lq4e3brkggln; path=/; HttpOnly
    Set-Cookie: WebToolsParam= ; path=/; HttpOnly
    Cache-Control: no-cache, no-store
    Pragma: no-cache
    Expires: -1
    Content-Type: text/html; charset=utf-8
    Content-Length: 151

    $ curl --head https://www.mensa.org.uk
    HTTP/1.1 200 OK
    Date: Sat, 28 May 2016 12:39:56 GMT
    Server: Apache
    Pragma: no-cache
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
    Set-Cookie:
SESS4b296932593725667cea89bf7eb4e462=d10lbmrpju03rccsaftdemiai6;
path=/; domain=.mensa.org.uk
    Last-Modified: Sat, 28 May 2016 12:39:56 GMT
    Content-Type: text/html; charset=utf-8

Here is information about the current version of cURL:

    $ curl -V
    curl 7.38.0 (i586-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1k
zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap
ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB
SSL libz TLS-SRP

I believe that whereas Iceweasel has its own CA store, cURL looks for
certificate authority certificates in `/etc/ssl/certs`, as shown in
the verbose output above. So, my first thought was that the error cURL
experienced in visiting https://profile.mensa.org.uk/contact.aspx must
be due to `/etc/ssl/certs` being devoid of a certificate for the CA
that Iceweasel identified: `GeoTrust Global CA`. However, I found that
`/etc/ssl/certs` *does* contain a suitable certificate:

    $ openssl x509 -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem -fingerprint
    SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

As you can see, this is the same fingerprint as for
`~/Documents/organisations/mensa/geotrust_global_ca.pem` above.

So, something else must be going on. I tried forcing cURL to use each
of these two certificates, via the `--cacert` option, but that didn't
yield success:

    $ curl --cacert
~/Documents/organisations/mensa/geotrust_global_ca.pem --head
https://profile.mensa.org.uk/contact.aspx
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.

    $ curl --cacert /etc/ssl/certs/GeoTrust_Global_CA.pem --head
https://profile.mensa.org.uk/contact.aspx
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.

My primary question is: **what is causing this inconsistency between
cURL and Iceweasel?**

My secondary question is: **does this inconsistency mean that there is
a bug in Iceweasel and/or a bug in cURL?**
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
魏春明 | 23 May 09:51 2016
Picon

Use curl --cookie-jar cookie.txt through command line will turn on CURLOPT_COOKIEFILE?

Hi curl-users,

I am new to curl. I have a question about --cookie-jar option. If I specify the following command line in a command line tool:
curl --cookie-jar cookie.txt http://example.com
Does it enable CURLOPT_COOKIEFILE in curl_easy_setop of libcurl?

Thanks,
Sam

--
Best Regards!
Chunming Wei
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Daniel Stenberg | 16 May 10:28 2016
Picon
Gravatar

curl user poll 2016

Hi friends.

It is time for our annual survey on how you use curl and libcurl. Your chance 
to tell us how you think we’ve done and what we should do next. The survey 
will close on midnight (central European time) May 27th, 2016.

If you use curl or libcurl from time to time, please consider helping us out 
with providing your feedback and opinions on a few things:

   http://goo.gl/forms/e4CoSDEKde

Thanks!

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Gmane