question

JamesHiggins-7505 avatar image
0 Votes"
JamesHiggins-7505 asked JamesHiggins-7505 commented

Azure Sphere OS Curl TLS/HTTPS GET Request Timesout When URL Length Exceeds ~1500 Bytes

When a simple curl HTTPS request is made with a URL exceeding ~1500 bytes the curl connection will timeout per the application defined handle configuration.
A TLS Encrypted Alert is sent from the Sphere OS to the remote server.

After this point the curl handle no longer works on subsequent requests and will return SSL: SSL_set_session failed: unknown error number. After some testing the curl handle is in the same broken state as this other bug I submitted even though the triggering event cause is different:

Azure Sphere OS Persistent Curl Handle using TLS Enters Failure Mode That Keeps Resetting Its Own TCP Connection
https://docs.microsoft.com/en-us/answers/questions/249213/azure-sphere-os-persistent-curl-handle-using-tls-e.html

If the size of the URL request is kept below the failure threshold then the curl handle does not fail.
A non-TLS curl HTTP request URL can be much larger >6000 bytes without failing.

I have traces, logs, and a simple example program that demonstrates the problem within a minute.

azure-sphere
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much for reporting @JamesHiggins-7505 ,
We will reach out to you by email so you can share with us all the details.

Nevertheless we encourage the community to share their scenarios if facing similar behaviors.

PS: We will share progress of our research publicly

0 Votes 0 ·

Since the Sphere OS has been updated to 21.02 I have retested using my example program and the documented problem is no longer reproducible.

Without being able to switch older OS revisions easily it is difficult to reestablish a baseline.

It's unlikely the reference CVE actually fixed the bug since those changes were made in ftp.c and are unrelated to HTTP GET.

It seems likely that some other curl fix was made and subsequently pulled into the Sphere OS layer.

I don't have time to try to sort through all the curl/WolfSSL commits and try to determine what changed so I will accept this answer.

0 Votes 0 ·

1 Answer

asergaz avatar image
0 Votes"
asergaz answered JamesHiggins-7505 commented

@JamesHiggins-7505 as we have discussed offline, you confirmed: "I just tried to reproduce it using my test program and the ~1500 byte limitation does not seem to apply anymore."

I am posting this as the answer to inform community that it does not happens anymore after updating to the latest 21.02 release.

Update 16 March 2021

We believe that the patch that we did for cURL CVE-2020-8285 is responsible for the solution. The documentation on this CVE can be found here: https://curl.se/docs/CVE-2020-8285.html. While the CVE describes exploiting the previous design for this component, it is likely that the limited memory environment for Azure Sphere was also triggering this design to behave as reported. The fix to the CVE removes unnecessary recursion and its associated stack usage, providing less opportunity to accidently run out of stack space.

Thanks!



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Antonio,

I looked at the Fixed bugs and common vulnerabilities but I cannot determine which one specifically addresses this issue.

Can you point out the specific listed fix that would have directly resolved this issue?

Best Regards,
Jim

1 Vote 1 ·
asergaz avatar image asergaz JamesHiggins-7505 ·

@JamesHiggins-7505 I have updated the answer with CVE responsible for the fix. Please let me know if we are ok to verify it as the answer? Thanks.

0 Votes 0 ·

Since the Sphere OS has been updated to 21.02 I have retested using my example program and the documented problem is no longer reproducible.

Without being able to switch older OS revisions easily it is difficult to reestablish a baseline.

It's unlikely the reference CVE actually fixed the bug since those changes were made in ftp.c and are unrelated to HTTP GET.

It seems likely that some other curl fix was made and subsequently pulled into the Sphere OS layer.

I don't have time to try to sort through all the curl/WolfSSL commits and try to determine what changed so I will accept this answer.

1 Vote 1 ·