Volker Schmid
2016-03-23 09:05:59 UTC
Hello,
We use libCurl version 7.43.0 with schannel support for TLS. Some customers using a proxy are getting the following issue:
2016-03-22 14:20:04-1274 [4736]: VERB: CURL: timeout on name lookup is not supported
2016-03-22 14:20:04-1283 [4736]: VERB: CURL: Trying 10.1.21.217...
2016-03-22 14:20:04-1289 [4736]: VERB: CURL: Connected to ul-pxy01-p (10.1.21.217) port 3128 (#0)
2016-03-22 14:20:04-1289 [4736]: VERB: CURL: Establish HTTP proxy tunnel to pls2.regify.com:443
2016-03-22 14:20:04-1290 [4736]: VERB: CURL: CONNECT pls2.regify.com:443 HTTP/1.1
Host: pls2.regify.com:443
Proxy-Connection: Keep-Alive
2016-03-22 14:20:07-1680 [4736]: VERB: CURL: HTTP/1.0 200 Connection established
2016-03-22 14:20:07-1681 [4736]: VERB: CURL: X-NAI-ID: 1f47_d1d3_cc05731c_f030_11e5_8f31_000c2925c149
2016-03-22 14:20:07-1682 [4736]: VERB: CURL:
2016-03-22 14:20:07-1682 [4736]: VERB: CURL: Proxy replied OK to CONNECT request
2016-03-22 14:20:07-1683 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 1/3)
2016-03-22 14:20:07-1683 [4736]: VERB: CURL: schannel: checking server certificate revocation
2016-03-22 14:20:07-1686 [4736]: VERB: CURL: schannel: sending initial handshake data: sending 186 bytes...
2016-03-22 14:20:07-1687 [4736]: VERB: CURL: schannel: sent initial handshake data: sent 186 bytes
2016-03-22 14:20:07-1688 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1689 [4736]: VERB: CURL: schannel: failed to receive handshake, need more data
2016-03-22 14:20:07-1739 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 2896 length 4096
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data length: 2798
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 2798 length 4096
2016-03-22 14:20:07-1741 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1970 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1971 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 4096 length 4096
2016-03-22 14:20:07-1972 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1972 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1973 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 4246 length 5120
2016-03-22 14:20:07-1974 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1983 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1984 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 5270 length 5270
2016-03-22 14:20:07-1985 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1985 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1986 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 5761 length 6294
2016-03-22 14:20:13-1943 [4736]: VERB: CURL: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - Die Sperrfunktion konnte die Sperrung nicht ï¿œberprï¿œfen, da der Sperrserver offline war.
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: Closing connection 0
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: shutting down SSL/TLS connection with pls2.regify.com port 443
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: clear security context handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: schannel: clear credential handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: NTLM-proxy picked AND auth done set, clear picked!
The translated error message is: The revocation function was unable to check revocation because the revocation server was offline.
Any idea what's going on here? We tried to check if the proxy is blocking the calls to CRL servers, but we can not see such.
Any Idea,
Volker
We use libCurl version 7.43.0 with schannel support for TLS. Some customers using a proxy are getting the following issue:
2016-03-22 14:20:04-1274 [4736]: VERB: CURL: timeout on name lookup is not supported
2016-03-22 14:20:04-1283 [4736]: VERB: CURL: Trying 10.1.21.217...
2016-03-22 14:20:04-1289 [4736]: VERB: CURL: Connected to ul-pxy01-p (10.1.21.217) port 3128 (#0)
2016-03-22 14:20:04-1289 [4736]: VERB: CURL: Establish HTTP proxy tunnel to pls2.regify.com:443
2016-03-22 14:20:04-1290 [4736]: VERB: CURL: CONNECT pls2.regify.com:443 HTTP/1.1
Host: pls2.regify.com:443
Proxy-Connection: Keep-Alive
2016-03-22 14:20:07-1680 [4736]: VERB: CURL: HTTP/1.0 200 Connection established
2016-03-22 14:20:07-1681 [4736]: VERB: CURL: X-NAI-ID: 1f47_d1d3_cc05731c_f030_11e5_8f31_000c2925c149
2016-03-22 14:20:07-1682 [4736]: VERB: CURL:
2016-03-22 14:20:07-1682 [4736]: VERB: CURL: Proxy replied OK to CONNECT request
2016-03-22 14:20:07-1683 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 1/3)
2016-03-22 14:20:07-1683 [4736]: VERB: CURL: schannel: checking server certificate revocation
2016-03-22 14:20:07-1686 [4736]: VERB: CURL: schannel: sending initial handshake data: sending 186 bytes...
2016-03-22 14:20:07-1687 [4736]: VERB: CURL: schannel: sent initial handshake data: sent 186 bytes
2016-03-22 14:20:07-1688 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1689 [4736]: VERB: CURL: schannel: failed to receive handshake, need more data
2016-03-22 14:20:07-1739 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 2896 length 4096
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data length: 2798
2016-03-22 14:20:07-1740 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 2798 length 4096
2016-03-22 14:20:07-1741 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1970 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1971 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 4096 length 4096
2016-03-22 14:20:07-1972 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1972 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1973 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 4246 length 5120
2016-03-22 14:20:07-1974 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1983 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1984 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 5270 length 5270
2016-03-22 14:20:07-1985 [4736]: VERB: CURL: schannel: received incomplete message, need more data
2016-03-22 14:20:07-1985 [4736]: VERB: CURL: schannel: SSL/TLS connection with pls2.regify.com port 443 (step 2/3)
2016-03-22 14:20:07-1986 [4736]: VERB: CURL: schannel: encrypted data buffer: offset 5761 length 6294
2016-03-22 14:20:13-1943 [4736]: VERB: CURL: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - Die Sperrfunktion konnte die Sperrung nicht ï¿œberprï¿œfen, da der Sperrserver offline war.
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: Closing connection 0
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: shutting down SSL/TLS connection with pls2.regify.com port 443
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: clear security context handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: schannel: clear credential handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: NTLM-proxy picked AND auth done set, clear picked!
The translated error message is: The revocation function was unable to check revocation because the revocation server was offline.
Any idea what's going on here? We tried to check if the proxy is blocking the calls to CRL servers, but we can not see such.
Any Idea,
Volker