I'm facing a strange issue with our new c++ wrapper over libcurl 7.33 (compiled with enable-ares, RHEL5.4). The performance is good(in msecs) when I hit http://posttestserver.com/post.php with easy interface but with multi interface dns resolving takes more time for the same url. If the libcurl callback timer timeout is used instead of our own timer logic, the request takes 2 minutes to complete. Timeout suggestion from libcurl increases like 4000, 150000..This does not happen if IP is used.
This could be due to a timeout bug present in 7.33.0. There's a newer libcurl version out that you could use to see if it the bug remains or not.
It would also help if you would provide a smallish example source code here that shows how you do this so that we can see that the code is correct from your end. Or tell us if you can use one of the existing libcurl examples on the curl site to repeat the problem.
Related
We're currently facing some issues trying to start a Service in Windows, which is an executable file and the output of a compiling process using .NET framework for C++ (Windows\Microsoft.NET\Framework\v2.0.50727).
We are able to compile, start and execute the exact same service in our DEV Environment, which consists of Windows 7 installed in Virtual Box with VisualStudio2005 (it's old software, I know...).
When we do it in our Test environment, we get a timeout error when trying to start the Service (1053: The Service Did Not Respond to the Start or Control Request in a Timely Fashion.). The server is running WindowsServer 2008 R2 Standard. We already tried to change the timeout time, without success. We also compiled the source code using the same Visual Studio 2005 SW and although we were able to compile it successfully we are still getting the same timeout message.
We are currently trying to understand what's objectively causing the different behaviour. The most obvious difference is the windows version, naturally, but since the compilation output appears identical and there are no errors during the compilation process in both environments and both output logs are identical as well we are running low on ideas to identify and validate objective differences. Our latest approach consists in trying to understand if by using Dependency Walker (dependencywalker.com) we are able to identify any issue regarding DLLs (we also checked if there is any corrupt DLL or system file in the environment and there isn't any, using the windows command for it). We're also checking some of the suggestion made on the following post: Error 1053 the service did not respond to the start or control request in a timely fashion.
Any one faced a similar issues? If so, can you suggest any kind of approach to identify the reason why the service isn't staring, other than the ones here mentioned?
Thanks in advance.
We ended up extending the timeout time regarding Service startup in Windows to 10 minutes followed by the necessary restart and we managed to start the service normally and almost immediately, which makes us think that the timeout time was never really an issue here. Although we haven't been able to pinpoint the exact cause we are still inclined to think that it was a Windows/Server related issue.
I have code that was tested (and approved) using HTTP requests. Release was scheduled for tomorrow... but the first test of our client against the (third party) release server reveals that it demands HTTPS. At least superficially, the one (and only?) part of our code that will need to change is:
HTTPClientSession session( myUri.GetHost(), myUri.GetPort() );
And the change required seems to be:
HTTPSClientSession session( myUri.GetHost(), myUri.GetPort(), context );
What is a simple, direct way to establish that context? My closest guess is to follow the lead of this question, but...
I am blissfully ignorant of the SSL layer that supports HTTPS - do I need to obtain a certificate? This question seems to suggest that client connections like mine generally don't need a certificate (the access to the server requires a login)... but if that's the case... what do you do instead? Am I even right to use an HTTPSClientSession?
First, you'll need to add a layer of SSL functionality to Poco by installing OpenSSL. Build OpenSSL and the corresponding Poco modules (taking care to produce the correct 32- or 64-bit versions for your deployment). On Windows, this will add libssl.dll, libcrypto.dll, PocoNetSSL.dll and PocoCrypto.dll to the DLLs you are already using.
When it comes to the code, this question has two answers that both give informative examples of how to use HTTPSClientSession. The first answer adds only a single line of code to what you already have, but it uses VERIFY_NONE, and so bypasses certificate verification. The second answer uses VERIFY_STRICT and goes to the other extreme. Whether you choose either, or something in between, will depend on your application. In my application, HTTPS had essentially no benefit at all, and the first (simpler) answer worked immediately out of the box. The second answer did not immediately work, so I can't comment further on it.
I'm writing a transparent intercepting HTTPS capable proxy using boost::asio + openSSL. I have a default server context where I specify that the server is a TLSv1.2 server, when a client connects, I extract the host from the hello and use SSL_set_SSL_CTX to set the context (which either already exists or I've just created it after spoofing the upstream cert) and initiate the server (downstream) read/write volley as well as the upstream.
This was working before I started storing and sharing contexts. On each new incoming connection, I was creating a new client socket and context, loading ca-bundle as verify file, then creating a new server context, getting the spoofed certificate. It was functioning, but I started developing issues where EC_KEY objects were being double freed and such. I learned from another question of mine that I was going about this the wrong way and began refactoring to recycle and share CTX objects. To be specific, I'm using a single client CTX shared across the board that loads, at program startup, the CA-Bundle for verification.
However, since this refactor, I'm getting this on both the client and the server:
decryption failed or bad record mac
..mixed with a bajillion "short read"s. If I try to force everything TLSv1.2, I get
block cipher pad is wrong
Those errors are given to me after a read/write has failed and I call async_shutdown on either upstream or downstream sockets, which in the callback, error is set (so the shutdown failed).
I've scoured the interwebs finding jira posts from places like apache httpd and nginx where this error was fixed in different ways (resizing read buffers to be larger, openSSL patches, forcing SSLv3, so on and so forth).
I thought there might be an issue with multithreading (my io-service uses a thread pool) but I can see in the code that boost do_init sets locking mechanics for openSSL and all of my IO are wrapped into a single strand.
I'm at a total loss and am wondering if anyone can shed light on what might be happening. I realize I've posted no code, that's because I've got hundreds and hundreds of lines of it and don't want to turn people off with a huge code dump. I realize however this is a rather complicated program and thus a complicated issue so please ask and I'll provide whatever I can.
Edit
I guess I should mention for completeness that I'm getting these errors on both openssl 1.0.2 and 1.0.2a, Win 8.1 x64 and I'm intercepting and routing the http/https traffic through my proxy with with WinDivert.
Edit 2
Reduced entire program to 1 thread, same effect. Created new client CTX for each client connection, same issue. Tried disabling AES-NI, issue persists. Tried different computer, same effect. Recompiled openssl from source (was using precompiled binaries), issue persists. Tried setting additional OP_ workaround flags described in current docs related to downgrade detection, padding bugs, so on and so forth, issue persist. I think I'll just start randomly mashing the keyboard and compile button soon.
I was going to just delete this question, but I decided to answer it in light of the fact that nowhere on the net (that I could find) actually pointed to a correct solution to this problem. I've read every single report about this error that one could find and every single one of those reports, the people "solved" or "reduced" this error in a different way. Every single one of them, a different solution. This is what helped make this issue so difficult to reason out, because everyone everywhere has a different underlying causal explanation.
It's complicated, ready? This error will present itself if you cancel/abort a pending async SSL operation. Mind->boom(). It'll be even more confusing if you do what the docs say and use async_shutdown to do so, because even the call back to async_shutdown will fail (error code is set) and your error message will randomly be something stupid like "decryption failed or bad record mac" or "block cipher pad is wrong" or "SSLv3 alert!" so on and so forth. When seeing errors like this, ignore the errors and analyze the control flow of your IO ops, somewhere you're either prematurely ending them or getting them out of order.
In my case, the premature end was (sort of) intentional, since during this stupid heavy refactor I decided to change things outside the scope of the problem, like my HTTPHeader parser, which I bugged out and ended up cause it to fail nearly 100% and thus aborting the connections. :) The error strings were masking the real cause by telling me encryption failed for some reason or another. Dumb mistake I know, but I take comfort in being the first one (apparently) to recognize it. :)
Open a powershell and type this
(Invoke-WebRequest -Uri status.dev.azure.com).StatusDescription
https://devblogs.microsoft.com/devops/deprecating-weak-cryptographic-standards-tls-1-0-and-1-1-in-azure-devops-services/
I use libcurl to get webpage's source code, everything goes all right until to get the source code of "www.macys.com".
My programme gets nothing without CURLOPT_FOLLOWLOCATION option, but when with this option, the redirecting location is always '/' and the curl_easy_perform function will not return unless I set the CURLOPT_MAXREDIRS option.
My question is how can I get this webpage's source code with libcurl ?
Thanks a lot.
My libcurl version : 7.23.1, OS: CentOS 6.0(final) x64
If the server keeps redirecting the client, and you ask the client to follow the redirects then what are you expecting it to do?
The only option is to stop after a certain amount of steps, which is what CURLOPT_MAXREDIRS is used for.
The reason things like this happens is mostly because the site is checking for client specific details (user-agent, cookies, referer or similar) that your curl use doesn't provide. You can often make your curl requests more similar to a browser's and then avoid this effect.
Either disable CURLOPT_FOLLOWLOCATION and manually keep track of redirections to ensure a loop does not happen or set CURLOPT_MAXREDIRS to an insane number (10) which can only be reached via self-redirects.
My app will need to periodically access a trusted time source, so can not rely on system time since this one can be modified easily by user or batery failure etc. My first idea is to statically link to libntp (from ntp.org) and use its functions, is this a good idea?
Libntp looks a bit complex framework, is there some simpler, client implementation (preferably ANSI C since the app needs to be for different platforms... though can be also Cpp if can be compiled with gcc / MS VS)?
Is there some other alternative to ntp?
Thanks!!
Edit: Just to add some more info... it is important that the trusted-time-server values can not be modified (lets say, attacker modifies the trusted-time-server response and app accepts fake time). I started looking at ntp and see that it takes care of that issue. The question is now should i use ntp sources from ntp.org as a starting point or there are some simple client-only implementatios? Ideally, some pointer to which module / source files from ntp.org sources should I use for client-only implementation and which header file shows the API I need to use, like for example a call getTrustedTime()... etc.
If you can rely on there being a network connection, your application could ask a remote server for the time, perhaps also over a signed or encrypted connection.
If you are using Boost you could use this