Azure Sphere OS Curl TLS/HTTPS GET Request Timesout When URL Length Exceeds ~1500 Bytes

Question

Azure Sphere OS Curl TLS/HTTPS GET Request Timesout When URL Length Exceeds ~1500 Bytes

James Higgins 336

When a simple curl HTTPS request is made with a URL exceeding ~1500 bytes the curl connection will timeout per the application defined handle configuration.
A TLS Encrypted Alert is sent from the Sphere OS to the remote server.

After this point the curl handle no longer works on subsequent requests and will return SSL: SSL_set_session failed: unknown error number. After some testing the curl handle is in the same broken state as this other bug I submitted even though the triggering event cause is different:

Azure Sphere OS Persistent Curl Handle using TLS Enters Failure Mode That Keeps Resetting Its Own TCP Connection
https://learn.microsoft.com/en-us/answers/questions/249213/azure-sphere-os-persistent-curl-handle-using-tls-e.html

If the size of the URL request is kept below the failure threshold then the curl handle does not fail.
A non-TLS curl HTTP request URL can be much larger >6000 bytes without failing.

I have traces, logs, and a simple example program that demonstrates the problem within a minute.

António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-02-12T00:21:09.377+00:00

Thank you so much for reporting @James Higgins ,
We will reach out to you by email so you can share with us all the details.

Nevertheless we encourage the community to share their scenarios if facing similar behaviors.

PS: We will share progress of our research publicly
James Higgins 336 Reputation points

2021-03-17T19:02:57.723+00:00

Since the Sphere OS has been updated to 21.02 I have retested using my example program and the documented problem is no longer reproducible.

Without being able to switch older OS revisions easily it is difficult to reestablish a baseline.

It's unlikely the reference CVE actually fixed the bug since those changes were made in ftp.c and are unrelated to HTTP GET.

It seems likely that some other curl fix was made and subsequently pulled into the Sphere OS layer.

I don't have time to try to sort through all the curl/WolfSSL commits and try to determine what changed so I will accept this answer.

Answer accepted by question author

0 additional answers

Your answer

António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-02-12T00:21:09.377+00:00

Thank you so much for reporting @James Higgins ,
We will reach out to you by email so you can share with us all the details.

Nevertheless we encourage the community to share their scenarios if facing similar behaviors.

PS: We will share progress of our research publicly
James Higgins 336 Reputation points

2021-03-17T19:02:57.723+00:00

Since the Sphere OS has been updated to 21.02 I have retested using my example program and the documented problem is no longer reproducible.

Without being able to switch older OS revisions easily it is difficult to reestablish a baseline.

It's unlikely the reference CVE actually fixed the bug since those changes were made in ftp.c and are unrelated to HTTP GET.

It seems likely that some other curl fix was made and subsequently pulled into the Sphere OS layer.

I don't have time to try to sort through all the curl/WolfSSL commits and try to determine what changed so I will accept this answer.

Answer 1

António Sérgio Azevedo 7,671 Microsoft Employee Moderator

@James Higgins as we have discussed offline, you confirmed: "I just tried to reproduce it using my test program and the ~1500 byte limitation does not seem to apply anymore."

I am posting this as the answer to inform community that it does not happens anymore after updating to the latest 21.02 release.

Update 16 March 2021

We believe that the patch that we did for cURL CVE-2020-8285 is responsible for the solution. The documentation on this CVE can be found here: https://curl.se/docs/CVE-2020-8285.html. While the CVE describes exploiting the previous design for this component, it is likely that the limited memory environment for Azure Sphere was also triggering this design to behave as reported. The fix to the CVE removes unnecessary recursion and its associated stack usage, providing less opportunity to accidently run out of stack space.

Thanks!

James Higgins 336 Reputation points

2021-03-11T19:04:11.24+00:00

Hi Antonio,

I looked at the Fixed bugs and common vulnerabilities but I cannot determine which one specifically addresses this issue.

Can you point out the specific listed fix that would have directly resolved this issue?

Best Regards,
Jim
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-03-16T14:29:00.677+00:00

@James Higgins I have updated the answer with CVE responsible for the fix. Please let me know if we are ok to verify it as the answer? Thanks.
James Higgins 336 Reputation points

2021-03-17T19:02:23.913+00:00

Since the Sphere OS has been updated to 21.02 I have retested using my example program and the documented problem is no longer reproducible.

Without being able to switch older OS revisions easily it is difficult to reestablish a baseline.

It's unlikely the reference CVE actually fixed the bug since those changes were made in ftp.c and are unrelated to HTTP GET.

It seems likely that some other curl fix was made and subsequently pulled into the Sphere OS layer.

I don't have time to try to sort through all the curl/WolfSSL commits and try to determine what changed so I will accept this answer.

Share via

Azure Sphere OS Curl TLS/HTTPS GET Request Timesout When URL Length Exceeds ~1500 Bytes

0 additional answers

Your answer