Open Radar

 
Summary:
I have an Apache server that houses a Git server via ProxyPass. I have been using Git with client certificate authentication daily for a couple years now. On Friday, I installed Mavericks GM, and discovered Git was not longer functional with this dev environment.

I discovered that libcurl was the culprit and that failure is probably due to a bug in Secure Transport or the handling of curl using Secure Transport.

It works if you rebuild curl to use OpenSSL.

Steps to Reproduce:
Mavericks GM /usr/bin/curl:

/usr/bin/curl -I https://x.x.x.x/
curl: (35) Unknown SSL protocol error in connection to x.x.x.x:-9824

Attempting to use a valid credential with it looks like:

/usr/bin/curl --verbose -E ~/mgrimes.crt --key ~/mgrimes.key -I https://x.x.x.x/
* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x...
* Adding handle: conn: 0x7f8cd2003a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8cd2003a00) send_pipe: 1, recv_pipe: 0
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* Unknown SSL protocol error in connection to x.x.x.x:-9824
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to x.x.x.x:-9824

----

Custom built curl (built using OpenSSL instead of SecureTransport)

/opt/curl/bin/curl -I https://x.x.x.x/
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

That's what we want to see... and to follow up with a successful connection, I can present the certs...

/opt/curl/bin/curl --verbose -E ~/mgrimes.crt --key ~/mgrimes.key -I https://x.x.x.x/
* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x...
* Adding handle: conn: 0x7fc9aa005400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fc9aa005400) send_pipe: 1, recv_pipe: 0
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
...

FINALLY, Git needs to be built against this new version of curl and the before/after shot looks like:

mark@entropy authtest on master(0f7d791) tracking origin/master
/Work/repos/authtest:master % git fetch -v
fatal: unable to access 'https://x.x.x.x/git/authtest.git/': Unknown SSL protocol error in connection to x.x.x.x:-9824

vs.

mark@entropy authtest on master(0f7d791) tracking origin/master
/Work/repos/authtest:master % /opt/git/bin/git fetch -v              
From https://x.x.x.x/git/authtest
 = [up to date]      master     -> origin/master

Expected Results:
I expect curl built using darwinssl would behave like it should when it uses openssl.

Actual Results:
See discussion comparing and contrasting the two different builds of curl.

Version:
10.9 (13A598)

Notes:


Configuration:
Mid-2010 15" MacBook Pro running Mavericks GM.