FS#38429 - [curl] SSL error with paypal.com since 7.34.0

Attached to Project: Arch Linux
Opened by Dark (Dark) - Thursday, 09 January 2014, 06:30 GMT
Last edited by Dave Reisner (falconindy) - Wednesday, 29 January 2014, 14:17 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

There appears to be a regression in curl 7.34.x compared to the previous 7.33.x packages.

Reproduce as follows:

# curl -3 'https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate'
curl: (35) Unsupported SSL protocol version


A large number of PHP scripts using the Paypal API and IPN system use the '-3' flag via 'CURLOPT_SSLVERSION=>3', including the official Paypal PHP SDK.
This task depends upon

Closed by  Dave Reisner (falconindy)
Wednesday, 29 January 2014, 14:17 GMT
Reason for closing:  Won't fix
Additional comments about closing:  curl 7.35.0 released today, package to appear soon in [testing].
Comment by Dark (Dark) - Thursday, 09 January 2014, 06:32 GMT
The expected/correct output is:

# curl -3 'https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate'
INVALID
Comment by Dark (Dark) - Thursday, 09 January 2014, 06:38 GMT
Sorry I should have searched more thoroughly, it appears this has been fixed upstream but not yet released officially:

http://curl.haxx.se/mail/tracker-2014-01/0008.html
Comment by RbN (RbN) - Thursday, 09 January 2014, 22:20 GMT
Here is upstream patch (commit 4bb74005298bb0c517360582b90efafd540bf8f1 in the curl git tree), i am looking if there is a CVE attributed to this issue.

   forcing_sslv3_connection.patch (0.8 KiB)
Comment by Dave Reisner (falconindy) - Thursday, 09 January 2014, 22:37 GMT
> Here is upstream patch (commit 4bb74005298bb0c517360582b90efafd540bf8f1 in the curl git tree),

That patch won't apply on 7.34.0 due to some restructing of the SSL functionality. It's also a followup to the original "fix" which was committed in db11750cfa5b17a7e6ae7f64df5807e436d1a130.

Due to this bug, and some others, the release schedule for 7.35.0 (or 7.34.1) is being moved forward to the end of this month (rather than the middle of February). I'm inclined to wait it out.

> i am looking if there is a CVE attributed to this issue.
There isn't. There will be a CVE issued for a different bug (one which doesn't affect Linux).
Comment by Sebastián Peyrott (Pse) - Tuesday, 21 January 2014, 13:50 GMT
Could this cause problems with AUR helpers? (yaourt, aura, cower) as described in this post: https://bbs.archlinux.org/viewtopic.php?id=175946

Or even git over HTTPS?
Comment by Dave Reisner (falconindy) - Tuesday, 21 January 2014, 14:04 GMT
No, this bug is explicitly about the use of forced SSLv3 and affects everyone. That thread is worthless as far as debugging goes. It's just a bunch of "me too".

Loading...