vSRX

Hi Experts,

  I m  running Curl using https on Juniper-vSRX and seems like its not supported although i have tried latest Juniper version as well.As per juniper its supported please let me know how i can enable it if possible .

root@juniper-wc01-vsrx-vSRX-Node1:~ # curl https://www.keycdn.com

curl: (1) Protocol "https" not supported or disabled in libcurl

root@juniper-wc01-vsrx-vSRX-Node1:~ # 

link:

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-script-automation-libslax-curl-extension-library.html

root@juniper-wc01-vsrx-vSRX-Node1> show version 

node0:

--------------------------------------------------------------------------

Hostname: juniper-wc01-vsrx-vSRX-Node0

Model: vsrx

Junos: 18.4R1-S1.3

The same command is working fine from my laptop.

SFAIZUL-M-CFN0:~ Shahid$ curl https://www.keycdn.com

<!DOCTYPE html>

<html lang="en" prefix="og: http://ogp.me/ns#">

    <head>

        <meta charset="utf-8">

        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

        <meta name="version" content="a36002f5685e2539952af5ff85c64abbb161d462">

        <title>KeyCDN - Content delivery made easy</title>

SFAIZUL-M-CFN0:~ Shahid$ curl --version

curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 

Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy 

Regards

Faiz.

seems like libcurl on vSRX  doesn't support SSL although its mentioned it support https any help can be highly appreciated .

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-script-automation-libslax-curl-extension-library.html

Regards

Faiz.

Hi,

can you please let us know the versions you've tried? By any chance one of the ones with the fix for this PR https://prsearch.juniper.net/PR1430187 ?

Regards

Ulf

I m running this version and the link u shared seems like its fixed in 18.4R3 , all we need to use https not http using curl command .

Hostname: juniper-wc01-vsrx-vSRX-Node0

Model: vsrx

Junos: 18.4R1-S1.3

Regards

Faiz.

Hi Faiz,

not sure I get your reply:

1. I didn't say your issue is fixed in the PR I mentioned (although there is a chance) (but at least one issue ruled out)

2. you said "i have tried latest Juniper version as well" Which one was that?

Regards

Ulf

Let me take my statement back i tested on these versions Junos: 18.4R1-S1.3 and 15.1X49-D123.3 , could u please confirm if the issue is fixed/resolved in the releases mentioned in the PR1430187 ?

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1430187

Regards

Faiz.

Hello Faiz,

I don't think the native CURL library of JunOS Shell supports https client mode. To leverage the curl extension libraries of libslax, you need to first call the libslax namespace ==> Refer to the document.

Again, I am not sure if calling the namespace inside the shell will help. Usually, it is a part of a SLAX script.

Hi Faiz,

I didn't say PR1430187 has the fix for your issue. I'm merely zeroing in / process of elimination, hence I asked for your SW version(s).

Next question: Did you try a file copy https://... ?

Regards

Ulf

rightnow i am only looking for curl if u can help that will be great .

I think I understand what you're looking for and I'm trying to help as best as I can. Knowing whether https works from the CLI would help me understand a bit better what's missing (where).

Thanks a lot for looking into this let me know exactly what u want me to run .

Can you pretend to want to use the CLI for "curl https://www.keycdn.com"? So for example "file copy https://www.keycdn.com foo".

Is there any way we can check with the Juniper support/development if they support  https protocol in curl in juniper vSRX or do they have any plans in future releases .As installing slax will be more complicated as other vendor are providing these https support in curl natively.

Curl utility(the one started on so-called Unix shell) in Junos for SRX devices seems to be compiled without SSL/TLS support and is statically linked:

root@srx% ldd /usr/bin/curl
/usr/bin/curl:
libgcc.so.1 => /usr/lib/libgcc.so.1 (0x28559000)
libc.so.6 => /usr/lib/libc.so.6 (0x285a8000)
root@srx%
root@srx% curl -V
curl 7.43.0 (JUNOS) libcurl/7.43.0
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: IPv6 Largefile UnixSockets
root@srx% 

Libcurl, mentioned in libslax curl extension library documentation, is used by cscript(program which runs the op/event/commit scripts written in SLAX):

root@srx% ldd /usr/libexec/ui/cscript | grep curl
        libcurl-nossl.so.1 => /usr/lib/libcurl-nossl.so.1 (0x28c65000)
        libext_curl.so.3 => /usr/lib/libext_curl.so.3 (0x28d80000)
root@srx% 

As seen above, there are two curl libraries. As the name suggests and analysis with hex editor confirms, the first one is compiled without SSL/TLS support and the second one is with SSL/TLS support. However, at least in Junos 18.2R3.4 on SRX device the cscript seems to load curl related functions from libcurl-nossl.so.1 library. For example, one can confirm this by using the first example on libslax curl extension library documentation page, adding the sleep() before the curl call and attaching to cscript process with gdb. All the curl related functions seem to be from libcurl-nossl.so.1 address space:

(gdb) info functions ^Curl
All functions matching regular expression "^Curl":

Non-debugging symbols:
0x28c6a9f0  Curl_read16_le
0x28c6aa04  Curl_read32_le
0x28c6aa30  Curl_read64_le
0x28c6aae0  Curl_read16_be
0x28c6aaf4  Curl_read32_be
0x28c6ab20  Curl_read64_be
0x28c6abd8  Curl_write16_le
0x28c6abec  Curl_write32_le
0x28c6ac0c  Curl_write64_le
0x28c6f49c  Curl_ftpsendf
0x28c6f5d8  Curl_GetFTPResponse
0x28c72740  Curl_ftp_parselist_data_alloc
0x28c7277c  Curl_ftp_parselist_data_free
0x28c727c4  Curl_ftp_parselist_geterror
0x28c729c4  Curl_ftp_parselist
0x28c74f18  Curl_fnmatch
0x28c78590  Curl_proxyCONNECT
0x28c7942c  Curl_proxy_connect
0x28c795b4  Curl_recvpipe_head
0x28c795ec  Curl_sendpipe_head
0x28c79624  Curl_pipeline_checkget_write
0x28c79698  Curl_pipeline_checkget_read
0x28c7970c  Curl_pipeline_leave_write
0x28c79714  Curl_pipeline_leave_read
0x28c7971c  Curl_pipeline_set_server_blacklist
0x28c79820  Curl_pipeline_server_blacklisted
0x28c79918  Curl_pipeline_set_site_blacklist
0x28c79b38  Curl_pipeline_site_blacklisted
0x28c79c14  Curl_move_handle_from_send_to_recv_pipe
0x28c79cd8  Curl_add_handle_to_pipeline
0x28c79d8c  Curl_pipeline_penalized
0x28c7b980  Curl_smtp_escape_eob
0x28c7bd80  Curl_gethostname
0x28c7be10  Curl_blockread_all
0x28c7bf58  Curl_SOCKS5
0x28c7c9cc  Curl_SOCKS4
0x28c7f080  Curl_pp_getsock
0x28c7f0ac  Curl_pp_disconnect
/* output removed for brevity */
0x28ca9d78  Curl_disconnect
0x28ca9ea0  Curl_done
0x28cac134  Curl_connect
0x28cac264  Curl_setopt
0x28cae654  Curl_close
0x28cae8ac  Curl_dupset
0x28caeab0  Curl_wait_ms
0x28caec10  Curl_poll
0x28caee50  Curl_socket_check
0x28caf150  Curl_set_dns_servers
0x28caf158  Curl_set_dns_interface
0x28caf160  Curl_set_dns_local_ip4
0x28caf168  Curl_set_dns_local_ip6
0x28caf170  Curl_raw_toupper
0x28caf28c  Curl_raw_equal
0x28caf360  Curl_raw_nequal
0x28caf46c  Curl_strntoupper
0x28caf648  Curl_tvlong
(gdb) info sharedlibrary
From        To          Syms Read   Shared Object Library
0x2852c550  0x28567880  Yes         /usr/lib//libxslt.so.3
0x285cac40  0x286dbb50  Yes         /usr/lib//libxml2.so.3
0x28749b90  0x28775ce0  Yes         /usr/lib//libslax.so.3
0x287d2860  0x287fca10  Yes         /usr/lib//libncurses.so.6
0x28850c30  0x28869750  Yes         /usr/lib//libedit.so.7
0x288b2350  0x288bd860  Yes         /usr/lib//libz.so.3
0x28904420  0x289178d0  Yes         /usr/lib//libmd.so.3
0x2895c1e0  0x28985e40  Yes         /usr/lib//libm.so.4
0x289dfdf0  0x28a96530  Yes         /usr/lib//libddl-access.so.1
0x28af8750  0x28b00360  Yes         /usr/lib//libjunoscript.so.1
0x28b48f70  0x28b511f0  Yes         /usr/lib//libmemory.so.1
0x28b94d10  0x28b971b0  Yes         /usr/lib//libjunos-string.so.1
0x28bdaa80  0x28bdc190  Yes         /usr/lib//libjunos-patricia.so.1
0x28c1f330  0x28c21b40  Yes         /usr/lib//libjunos-time.so.1
0x28c6a8b0  0x28caf770  Yes         /usr/lib//libcurl-nossl.so.1
0x28cfa7a0  0x28cfadf0  Yes         /usr/lib//libjunos-util.so.1
0x28d3cbb0  0x28d3e240  Yes         /usr/lib//libext_bit.so.3
0x28d81150  0x28d86260  Yes         /usr/lib//libext_curl.so.3
0x28dc8680  0x28dc88a0  Yes         /usr/lib//libext_exslt.so.3
0x28e0b0f0  0x28e0c8b0  Yes         /usr/lib//libext_os.so.3
0x28e4ed10  0x28e50430  Yes         /usr/lib//libext_xutil.so.3
0x28e92880  0x28e93820  Yes         /usr/lib//libpvidb.so.1
0x28ed73c0  0x28edf6e0  Yes         /usr/lib//libutil.so.5
0x28f246d0  0x28f2f220  Yes         /usr/lib//libgcc.so.1
0x28f90260  0x29067770  Yes         /usr/lib//libc.so.6
0x29128d90  0x2912a860  Yes         /usr/lib//nss_sdk.so.1
0x2916cff0  0x2916eab0  Yes         /usr/lib//libprovider.so.1
0x284a84c0  0x284d6170  Yes         /usr/libexec/ld-elf.so.1
(gdb)

Also, variables like Curl_handler_https are missing. In short, HTTPS does not seem to be supported even in SLAX scripts on SRX devices.