Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 6B565781AB7
	for <~alpine/users@lists.alpinelinux.org>; Fri, 22 May 2020 14:11:25 +0000 (UTC)
Received: by mail-wr1-f67.google.com with SMTP id c11so813624wrn.6
        for <~alpine/users@lists.alpinelinux.org>; Fri, 22 May 2020 07:11:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=HfE7r5Y0l4+m0i8vHAAezxcMfrVe7Es07rPMtfbQPQ4=;
        b=XGEdYQUqz6x2b6DgU/2Sp85prCWaGH2wt9ThZ8RVKHoxvMn36da0bZa8sWJNwXJZdB
         1ed082HgiIe6mzK/Dqvw9LXOElnttIqX+4TT8fCPaeWWpsct9b8Kzpjl2es5WbaxL/jR
         QI7ZSjrA6PkSTJEfXf3uB9PhYy3LFSViTF75O2bnN8wYpIlKeZCW07NScUCO8NNuANdy
         tUEKBkkPLWppxSMr5wrYTiMB9LmUFdQQmi4VS0r3A72j73tj4zVKkgTg2CCAJ8YS1X+d
         DS0nKve/wTZoEaC9MJQN+Gb3ttCSYZajnghkPIAKXMQXfL0s8067N39cYxN8IpX2Sdtk
         dNOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=HfE7r5Y0l4+m0i8vHAAezxcMfrVe7Es07rPMtfbQPQ4=;
        b=nTLgghnU489Of+quTDL9EdF9O23ClzjvKSHABHLVSY66BDxccAEbNMYf4anzVZ4u1P
         Wh5wqUGqtZBeUgfFHX55AaEIogCRpBFjjXzRiG5fmBnFF0DSlraFWW8Jv6z10ZLUxD+J
         qvPkUl7kIyN/+LiJj0U1L3P1RuoRxv4mSCH7geiC19fNKqfPMMaRWk/ZmgEOUpt6iQYs
         PqOKpBbLz7mIhO1Tfdsq+xsm6vkSaeTXIm9NzFpsOWnnDj3rYtzJMCSKOcA1n+/BlLgV
         KFhkGU+gxKf8oBS+onHbeh4SIxu0JzEpjcMXjc5OQAH174/p+x8Lp0wCWeziU1JsKmlJ
         CcbA==
X-Gm-Message-State: AOAM530tAo8zOshpTmuSjQ2zIEmgPg6zKz/k1N3LuY2xQIzRXMzy4DUI
	i+b0+pexxblTFJDWDK5bBF72y2+9LN+VVcR6tGY=
X-Google-Smtp-Source: ABdhPJzZk17WxscYjhphBq2VOFloDElQCIAyTk5yKB3gxalYD7xpm1eDS8xq73euVyM8GEnBG8y8Q87LTgcsxXGdcRA=
X-Received: by 2002:a5d:6b8c:: with SMTP id n12mr3581103wrx.107.1590156684938;
 Fri, 22 May 2020 07:11:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAG5E=Ndf=c1+Hwt2rY=K-kJTtWuMHLnitDoCLrCKkp7n5ksD6w@mail.gmail.com>
 <CALci+FR-dcXv1hzeSq3hBXG72iQWP=6ddP9XmhzapPiYPd+h3Q@mail.gmail.com>
In-Reply-To: <CALci+FR-dcXv1hzeSq3hBXG72iQWP=6ddP9XmhzapPiYPd+h3Q@mail.gmail.com>
From: Axel U <ulrich.axel@gmail.com>
Date: Fri, 22 May 2020 10:11:13 -0400
Message-ID: <CAG5E=Nfdh-+P1DpRKmpYbnH1pc9JPZ9RVvgq3d+GKx0gO7FvKQ@mail.gmail.com>
Subject: Re: curl large header issue https
To: PICCORO McKAY Lenz <mckaygerhard@gmail.com>
Cc: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, May 22, 2020 at 12:51 AM PICCORO McKAY Lenz
<mckaygerhard@gmail.com> wrote:
>
> https://github.com/curl/curl/issues/659 ????
>

curl issue #659 is about http2.
Some tests are skipped in the scripts with a reference to this exact curl i=
ssue.
My issue is present with http protocol below v2.

Can you confirm the error I am having?

Step 1 in terminal one (server side):
$ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'

Step 2 in terminal two (client side):
$ perl -e '$b=3D`curl --insecure --http0.9 --silent --show-error \
    -H foo:@{["0123456789"x2000]} \
    -H zzz:here https://127.0.0.1:48443/`;print $b;'

Step 3 in terminal one:
Press Ctrl-C

Step 4 in terminal two:
Observe the output - reports an error.

> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
>
>
> El jue., 21 de may. de 2020 a la(s) 16:11, Axel U (ulrich.axel@gmail.com)=
 escribi=C3=B3:
>>
>> If someone could follow steps below to confirm what I am seeing, I
>> would appreciate it, to exclude something wrong with my setup.
>>
>> Environment Alpine 3.11
>> $ curl --version
>> curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1g
>> zlib/1.2.11 nghttp2/1.40.0
>> ..
>>
>> This is not a discussion that servers should reject large headers for
>> security reasons or similar.
>> I found the issue originally when running an existing set of test
>> scripts that check server behavior for http1.1 requests with large
>> headers. When running those test scripts on an Alpine host, curl
>> reports an empty server response error (52), but the request with curl
>> succeeds on another distro against the same server.  Also, wget on
>> Alpine has no issue with essentially the same request against the same
>> server. So the test scripts in question would have to be adapted when
>> running them on an Alpine host to use wget instead of curl, but before
>> doing so, it smells like a curl issue on Alpine, so if someone could
>> confirm, I would appreciate it, to exclude something wrong with my
>> setup. I tried it on two Alpine hosts I have access to with the same
>> result. I tried the same on another distro and don=E2=80=99t have the is=
sue.
>>
>> Note: Below steps are only set to http 0.9 because of ncat, as I tried
>> to come up with the easiest setup to reproduce using standard tools
>> and one line commands.  So if you find or already run or want to setup
>> a http/https server that accepts large header sizes to test this
>> against and echos it back, then run this for http1.1 (to get error
>> 52). This occurs on https only.
>>
>> Steps to reproduce
>>
>> on the host we need curl, wget (to replace BusyBox=E2=80=99s wget
>> implementation), findutils (to replace BusyBox=E2=80=99s xargs
>> implementation), nmap-ncat and perl
>>
>> In Step 2 below change the multiplier (example has it as 2000) to vary
>> the header size; for me up to 1600 success, 1700+ error.
>>
>> We need two terminals open: terminal one and terminal two
>>
>> Step 1 in terminal one (server side):
>> $ ncat -lvp 48443 --ssl -c 'xargs -n1 echo'
>>
>> Step 2 in terminal two (client side):
>> $ perl -e '$b=3D`curl --insecure --http0.9 --silent --show-error -H
>> foo:@{["0123456789"x2000]} -H zzz:here https://127.0.0.1:48443/`;print
>> $b;'
>>
>> Step 3 in terminal one:
>> Press Ctrl-C
>>
>> Step 4 in terminal two:
>> Observe the output - reports an error.
>>
>>
>> Repeat above using wget instead of curl in Step 2 in terminal two =3D no=
 issue:
>> $ perl -e '$b=3D`wget --no-check-certificate -O -
>> --header=3D"foo:@{["0123456789"x2000]}" --header=3D"zzz:here"
>> https://127.0.0.1:48443/`;print $b;'
>>
>>
>> Repeat above with curl against http server =3D no issue:
>> Step 1 in terminal one (server side):
>> $ ncat -lvp 48080 -c 'xargs -n1 echo'
>>
>> Step 2 in terminal two (client side):
>> $ perl -e '$b=3D`curl --silent --http0.9 --show-error -H
>> foo:@{["0123456789"x2000]} -H zzz:here http://127.0.0.1:48080/`;print
>> $b;'
>>
>> Step 3 and 4 as above.
>>
>>
>> Repeat original steps unchanged (curl/https) on another distro that
>> has same tools installed =3D no issue.