vSRX

Expand all | Collapse all

curl: (1) Protocol "https" not supported or disabled in libcurl

  • 1.  curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 00:35

    Hi Experts,

      I m  running Curl using https on Juniper-vSRX and seems like its not supported although i have tried latest Juniper version as well.As per juniper its supported please let me know how i can enable it if possible .

     

     

    root@juniper-wc01-vsrx-vSRX-Node1:~ # curl https://www.keycdn.com

    curl: (1) Protocol "https" not supported or disabled in libcurl

    root@juniper-wc01-vsrx-vSRX-Node1:~ # 

     

    link:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-script-automation-libslax-curl-extension-library.html

     

    root@juniper-wc01-vsrx-vSRX-Node1> show version 

    node0:

    --------------------------------------------------------------------------

    Hostname: juniper-wc01-vsrx-vSRX-Node0

    Model: vsrx

    Junos: 18.4R1-S1.3

     

    The same command is working fine from my laptop.

     

    SFAIZUL-M-CFN0:~ Shahid$ curl https://www.keycdn.com

    <!DOCTYPE html>

    <html lang="en" prefix="og: http://ogp.me/ns#">

        <head>

            <meta charset="utf-8">

            <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

            <meta name="version" content="a36002f5685e2539952af5ff85c64abbb161d462">

     

            <title>KeyCDN - Content delivery made easy</title>

     

     

    SFAIZUL-M-CFN0:~ Shahid$ curl --version

    curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1

    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 

    Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy 

     

    Regards

    Faiz.


    #curl
    #https


  • 2.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 00:44

    seems like libcurl on vSRX  doesn't support SSL although its mentioned it support https any help can be highly appreciated .

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-script-automation-libslax-curl-extension-library.html

     

    Regards

    Faiz.



  • 3.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 01:20

    Hi,

    can you please let us know the versions you've tried? By any chance one of the ones with the fix for this PR https://prsearch.juniper.net/PR1430187 ?

    Regards

    Ulf



  • 4.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 01:44

    I m running this version and the link u shared seems like its fixed in 18.4R3 , all we need to use https not http using curl command .

     

    Hostname: juniper-wc01-vsrx-vSRX-Node0

    Model: vsrx

    Junos: 18.4R1-S1.3

     

    Regards

    Faiz.



  • 5.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 01:50

    Hi Faiz,

    not sure I get your reply:

    1. I didn't say your issue is fixed in the PR I mentioned (although there is a chance) (but at least one issue ruled out)

    2. you said "i have tried latest Juniper version as well" Which one was that?

    Regards

    Ulf



  • 6.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 02:09

    Let me take my statement back i tested on these versions Junos: 18.4R1-S1.3 and 15.1X49-D123.3 , could u please confirm if the issue is fixed/resolved in the releases mentioned in the PR1430187 ?

     

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1430187

     

    Regards

    Faiz.



  • 7.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 02:35

    Hello Faiz,

     

    I don't think the native CURL library of JunOS Shell supports https client mode. To leverage the curl extension libraries of libslax, you need to first call the libslax namespace ==> Refer to the document.

    Again, I am not sure if calling the namespace inside the shell will help. Usually, it is a part of a SLAX script.



  • 8.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 03:13

    Hi Faiz,

    I didn't say PR1430187 has the fix for your issue. I'm merely zeroing in / process of elimination, hence I asked for your SW version(s).

    Next question: Did you try a file copy https://... ?

    Regards

    Ulf



  • 9.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 08:10

    rightnow i am only looking for curl if u can help that will be great .



  • 10.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 08:40

    I think I understand what you're looking for and I'm trying to help as best as I can. Knowing whether https works from the CLI would help me understand a bit better what's missing (where).



  • 11.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 03-24-2020 08:49

    Thanks a lot for looking into this let me know exactly what u want me to run .



  • 12.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

     
    Posted 03-24-2020 08:56

    Can you pretend to want to use the CLI for "curl https://www.keycdn.com"? So for example "file copy https://www.keycdn.com foo".



  • 13.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 04-07-2020 09:06

    Is there any way we can check with the Juniper support/development if they support  https protocol in curl in juniper vSRX or do they have any plans in future releases .As installing slax will be more complicated as other vendor are providing these https support in curl natively.



  • 14.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 05-04-2020 04:46

    Curl utility(the one started on so-called Unix shell) in Junos for SRX devices seems to be compiled without SSL/TLS support and is statically linked:

    root@srx% ldd /usr/bin/curl
    /usr/bin/curl:
    libgcc.so.1 => /usr/lib/libgcc.so.1 (0x28559000)
    libc.so.6 => /usr/lib/libc.so.6 (0x285a8000)
    root@srx%
    root@srx% curl -V
    curl 7.43.0 (JUNOS) libcurl/7.43.0
    Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
    Features: IPv6 Largefile UnixSockets
    root@srx%

    Libcurl, mentioned in libslax curl extension library documentation, is used by cscript(program which runs the op/event/commit scripts written in SLAX):

    root@srx% ldd /usr/libexec/ui/cscript | grep curl
            libcurl-nossl.so.1 => /usr/lib/libcurl-nossl.so.1 (0x28c65000)
            libext_curl.so.3 => /usr/lib/libext_curl.so.3 (0x28d80000)
    root@srx% 
    

    As seen above, there are two curl libraries. As the name suggests and analysis with hex editor confirms, the first one is compiled without SSL/TLS support and the second one is with SSL/TLS support. However, at least in Junos 18.2R3.4 on SRX device the cscript seems to load curl related functions from libcurl-nossl.so.1 library. For example, one can confirm this by using the first example on libslax curl extension library documentation page, adding the sleep() before the curl call and attaching to cscript process with gdb. All the curl related functions seem to be from libcurl-nossl.so.1 address space:

     

    (gdb) info functions ^Curl
    All functions matching regular expression "^Curl":
    
    Non-debugging symbols:
    0x28c6a9f0  Curl_read16_le
    0x28c6aa04  Curl_read32_le
    0x28c6aa30  Curl_read64_le
    0x28c6aae0  Curl_read16_be
    0x28c6aaf4  Curl_read32_be
    0x28c6ab20  Curl_read64_be
    0x28c6abd8  Curl_write16_le
    0x28c6abec  Curl_write32_le
    0x28c6ac0c  Curl_write64_le
    0x28c6f49c  Curl_ftpsendf
    0x28c6f5d8  Curl_GetFTPResponse
    0x28c72740  Curl_ftp_parselist_data_alloc
    0x28c7277c  Curl_ftp_parselist_data_free
    0x28c727c4  Curl_ftp_parselist_geterror
    0x28c729c4  Curl_ftp_parselist
    0x28c74f18  Curl_fnmatch
    0x28c78590  Curl_proxyCONNECT
    0x28c7942c  Curl_proxy_connect
    0x28c795b4  Curl_recvpipe_head
    0x28c795ec  Curl_sendpipe_head
    0x28c79624  Curl_pipeline_checkget_write
    0x28c79698  Curl_pipeline_checkget_read
    0x28c7970c  Curl_pipeline_leave_write
    0x28c79714  Curl_pipeline_leave_read
    0x28c7971c  Curl_pipeline_set_server_blacklist
    0x28c79820  Curl_pipeline_server_blacklisted
    0x28c79918  Curl_pipeline_set_site_blacklist
    0x28c79b38  Curl_pipeline_site_blacklisted
    0x28c79c14  Curl_move_handle_from_send_to_recv_pipe
    0x28c79cd8  Curl_add_handle_to_pipeline
    0x28c79d8c  Curl_pipeline_penalized
    0x28c7b980  Curl_smtp_escape_eob
    0x28c7bd80  Curl_gethostname
    0x28c7be10  Curl_blockread_all
    0x28c7bf58  Curl_SOCKS5
    0x28c7c9cc  Curl_SOCKS4
    0x28c7f080  Curl_pp_getsock
    0x28c7f0ac  Curl_pp_disconnect
    /* output removed for brevity */
    0x28ca9d78  Curl_disconnect
    0x28ca9ea0  Curl_done
    0x28cac134  Curl_connect
    0x28cac264  Curl_setopt
    0x28cae654  Curl_close
    0x28cae8ac  Curl_dupset
    0x28caeab0  Curl_wait_ms
    0x28caec10  Curl_poll
    0x28caee50  Curl_socket_check
    0x28caf150  Curl_set_dns_servers
    0x28caf158  Curl_set_dns_interface
    0x28caf160  Curl_set_dns_local_ip4
    0x28caf168  Curl_set_dns_local_ip6
    0x28caf170  Curl_raw_toupper
    0x28caf28c  Curl_raw_equal
    0x28caf360  Curl_raw_nequal
    0x28caf46c  Curl_strntoupper
    0x28caf648  Curl_tvlong
    (gdb) info sharedlibrary
    From        To          Syms Read   Shared Object Library
    0x2852c550  0x28567880  Yes         /usr/lib//libxslt.so.3
    0x285cac40  0x286dbb50  Yes         /usr/lib//libxml2.so.3
    0x28749b90  0x28775ce0  Yes         /usr/lib//libslax.so.3
    0x287d2860  0x287fca10  Yes         /usr/lib//libncurses.so.6
    0x28850c30  0x28869750  Yes         /usr/lib//libedit.so.7
    0x288b2350  0x288bd860  Yes         /usr/lib//libz.so.3
    0x28904420  0x289178d0  Yes         /usr/lib//libmd.so.3
    0x2895c1e0  0x28985e40  Yes         /usr/lib//libm.so.4
    0x289dfdf0  0x28a96530  Yes         /usr/lib//libddl-access.so.1
    0x28af8750  0x28b00360  Yes         /usr/lib//libjunoscript.so.1
    0x28b48f70  0x28b511f0  Yes         /usr/lib//libmemory.so.1
    0x28b94d10  0x28b971b0  Yes         /usr/lib//libjunos-string.so.1
    0x28bdaa80  0x28bdc190  Yes         /usr/lib//libjunos-patricia.so.1
    0x28c1f330  0x28c21b40  Yes         /usr/lib//libjunos-time.so.1
    0x28c6a8b0  0x28caf770  Yes         /usr/lib//libcurl-nossl.so.1
    0x28cfa7a0  0x28cfadf0  Yes         /usr/lib//libjunos-util.so.1
    0x28d3cbb0  0x28d3e240  Yes         /usr/lib//libext_bit.so.3
    0x28d81150  0x28d86260  Yes         /usr/lib//libext_curl.so.3
    0x28dc8680  0x28dc88a0  Yes         /usr/lib//libext_exslt.so.3
    0x28e0b0f0  0x28e0c8b0  Yes         /usr/lib//libext_os.so.3
    0x28e4ed10  0x28e50430  Yes         /usr/lib//libext_xutil.so.3
    0x28e92880  0x28e93820  Yes         /usr/lib//libpvidb.so.1
    0x28ed73c0  0x28edf6e0  Yes         /usr/lib//libutil.so.5
    0x28f246d0  0x28f2f220  Yes         /usr/lib//libgcc.so.1
    0x28f90260  0x29067770  Yes         /usr/lib//libc.so.6
    0x29128d90  0x2912a860  Yes         /usr/lib//nss_sdk.so.1
    0x2916cff0  0x2916eab0  Yes         /usr/lib//libprovider.so.1
    0x284a84c0  0x284d6170  Yes         /usr/libexec/ld-elf.so.1
    (gdb)

     

    Also, variables like Curl_handler_https are missing. In short, HTTPS does not seem to be supported even in SLAX scripts on SRX devices.



  • 15.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 12-11-2020 06:25
    HTTPS is supported in SLAX scripts on SRX devices running Junos 18.4R3-S2 and probably newer versions.


  • 16.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 04-12-2021 16:59
    Thanks for ur reply i have checked again and seems like they have added support for https in curl in new version Junos: 19.4R2-S3.1 but the problem is still its complaining or giving error for certificate or CAfile while accessing via https and if i am checking the path for CAfile (CAfile: /var/db/certs/common/curl/curl-ca-bundle.crt) then its not showing /curl in the following path .

    root@juniper19:~ # curl --version
    curl 7.59.0 (JUNOS) libcurl/7.59.0 OpenSSL/1.0.2u
    Release-Date: 2018-03-14
    Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
    Features: IPv6 Largefile NTLM NTLM_WB SSL UnixSockets HTTPS-proxy

    root@juniper19:~ # curl https://www.google.com/
    curl: (77) error setting certificate verify locations:
    CAfile: /var/db/certs/common/curl/curl-ca-bundle.crt
    CApath: none

    root@juniper19:~ # cd /var/db/certs/common  ----> Missing curl
    root@juniper19:/var/db/certs/common # ls
    _ssl_init_profile_list certification-authority key-pair
    _ssl_term_profile_list certification-authority-untrusted local
    certificate-request crl ssl_cert_list
    root@juniper19:/var/db/certs/common #

    root@juniper19.4testcurl-vsrx-vSRX> show version
    Hostname: juniper19.4testcurl-vsrx-vSRX
    Model: vsrx
    Junos: 19.4R2-S3.1


    Please let me know if i need to upload the CA file in respective path or still there is some issue with curl support in Junos newer version.




  • 17.  RE: curl: (1) Protocol "https" not supported or disabled in libcurl

    Posted 11-17-2021 09:12
    You should be able to use the /usr/share/ui/support/Trusted_CAs.pem CA certificates file:

    root@lab-srx340> show version
    Hostname: lab-srx340
    Model: srx340
    Junos: 19.4R2.6
    JUNOS Software Release [19.4R2.6]
    
    root@lab-srx340> start shell sh
    # curl --version
    curl 7.59.0 (JUNOS) libcurl/7.59.0 OpenSSL/1.0.2u
    Release-Date: 2018-03-14
    Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps
    telnet tftp
    Features: IPv6 Largefile NTLM NTLM_WB SSL UnixSockets HTTPS-proxy
    #
    # SSL_CERT_FILE=/usr/share/ui/support/Trusted_CAs.pem curl -s https://www.google.com/ | tail -1
    (function(){google.jl={attn:false,blt:'none',chnk:0,dw:false,dwu:true,emtn:0,end:0,ine:false,lls:'default',pdt:0,rep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22dh\x22:true,\x22dhqt\x22:true,\x22ds\x22:\x22\x22,\x22ffql\x22:\x22en\x22,\x22fl\x22:true,\x22
    host\x22:\x22google.com\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Rensa skning\x22,\x22dym\x22:\x22Menade du:\x22,\x22lcky\x22:\x22Jag har tur\x22,\x22lml\x22:\x22Ls mer\x22,\x22oskt\x22:\x22Inmatningsverktyg\x22,\x22psrc\x22:\x22Den hr skningen har tagits
    bort frn din \Webbhistorik\\u003C/a\\u003E\x22,\x22p
    srl\x22:\x22Ta bort\x22,\x22sbit\x22:\x22Sk med bild\x22,\x22srch\x22:\x22Sk p Google\x22},\x22ovr\x22:{},\x22pq\x22:\x22\x22,\x22refpd\x22:true,\x22rfs\x22:[],\x22sbas\x22:\x220 3px 8px 0 rgba(0,0,0,0.2),0 0 0 1px rgba(0,0,0,0.08)\x22,\x22sbpl\x22:16,\x22sbpr\x22:16,\x22scd\x22:10,\x22stok\x22:\x22nKkRLPNGud4N-e-ET_hVSwmV3J0\x22,\x22uhde\x22:false}}';google.pmc=JSON.parse(pmc);})();</script>        </body></html>#
    #
    ​