Skip to content

HTTP2 frame issue with libcurl and openscap #15941

New issue
New issue
Closed
Closed
HTTP2 frame issue with libcurl and openscap#15941
Assignees
icing
Labels
HTTP/2not-a-curl-bugThis is not a bug in curl
@Jiri-Stary

Description

@Jiri-Stary
Jiri-Stary
opened on Jan 8, 2025

I did this

/usr/bin/oscap info --verbose DEVEL --fetch-remote-resources --profiles /ssg/scap-security-guide-0.1.75/ssg-debian12-ds.xml;

It uses libcurl to fetch the data and it fails on frame issue:

I: oscap: Using environment variables: [oscap(17):oscap(7fd8c7d58390):debug.c:316:oscap_print_env_vars]
I: oscap: OSCAP_CHECK_ENGINE_PLUGIN_DIR='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_CONTAINER_VARS='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_EVALUATION_TARGET='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_FULL_VALIDATION='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_OVAL_COMMAND_OPTIONS='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PCRE_EXEC_RECURSION_LIMIT='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_ROOT='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: SEXP_VALIDATE_DISABLE='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: SOURCE_DATE_EPOCH='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MEMORY_USAGE_RATIO='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MAX_COLLECTED_ITEMS='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_IGNORE_PATHS='' [oscap(17):oscap(7fd8c7d58390):debug.c:319:oscap_print_env_vars]
I: oscap: Identified document type: data-stream-collection [oscap(17):oscap(7fd8c7d58390):doc_type.c:96:oscap_determine_document_type_reader]
Downloading: https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2 ... D: oscap: == cURL info: Host www.debian.org:443 was resolved.
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv6: 2603:400a:ffff:bb8::801f:3e
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv4: 128.31.0.62
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Trying [2603:400a:ffff:bb8::801f:3e]:443...
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Immediate connect fail for 2603:400a:ffff:bb8::801f:3e: Network unreachable
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Trying 128.31.0.62:443...
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: curl offers h2,http/1.1
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: CAfile: /etc/ssl/certs/ca-certificates.crt
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: CApath: /etc/ssl/certs
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Server hello (2):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Certificate (11):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Finished (20):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Finished (20):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: server accepted h2
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Server certificate:
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: subject: CN=www.debian.org
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: start date: Dec 10 00:38:49 2024 GMT
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: expire date: Mar 10 00:38:48 2025 GMT
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: subjectAltName: host "www.debian.org" matched cert's "www.debian.org"
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: issuer: C=US; O=Let's Encrypt; CN=R11
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: SSL certificate verify ok.
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connected to www.debian.org (128.31.0.62) port 443
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: using HTTP/2
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] OPENED stream for https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:method: GET]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:scheme: https]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:authority: www.debian.org]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:path: /security/oval/oval-definitions-bookworm.xml.bz2]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept: /]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [te: gzip]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept-encoding: deflate, gzip, br, zstd]
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: => cURL header (out): GET /security/oval/oval-definitions-bookworm.xml.bz2 HTTP/2
Host: www.debian.org
Accept: /
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip, br, zstd
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Request completely sent off
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connection #0 to host www.debian.org left intact
[oscap(17):oscap(7fd8c7d58390):oscap_acquire.c:315:_curl_trace]
error
OpenSCAP Error: Download failed: Stream error in the HTTP/2 framing layer [/home/buildozer/aports/community/openscap/src/openscap-1.3.10/src/common/oscap_acquire.c:405]
Could not extract scap_org.open-scap_cref_ssg-debian12-xccdf.xml with all dependencies from datastream. [/home/buildozer/aports/community/openscap/src/openscap-1.3.10/src/DS/ds_sds_session.c:228]
An error occurred during evaluation

I expected the following

not to have the the frame error on the file

https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2

Download failed: Stream error in the HTTP/2 framing layer

curl/libcurl version

#10 [5/8] RUN curl --version
#10 0.157 curl 8.11.1 (x86_64-alpine-linux-musl) libcurl/8.11.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.33.1 libidn2/2.3.7 libpsl/0.21.5 nghttp2/1.62.1
#10 0.157 Release-Date: 2024-12-11
#10 0.157 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
#10 0.157 Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd
#10 DONE 0.2s

operating system

alpine linux 3.20

Metadata

Metadata

Assignees

Labels

HTTP/2not-a-curl-bugThis is not a bug in curl

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions