Using -false-start breaks w/firefox

[coderb]

Using -false-start in the impersonate script causes failure, removing the option fixes it.
Running under debian bookworm x64.
Ideas?

$ ./curl_ff102 -k -v https://www.bing.com/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 204.79.197.200:443...
* Connected to www.bing.com (204.79.197.200) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*  CAfile: none
*  CApath: none
* failed to load libnssckbi.so
* skipping SSL peer certificate verification
* Trying TLS False Start
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.bing.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US
*  start date: Jul 26 23:57:23 2023 GMT
*  expire date: Jan 22 23:57:23 2024 GMT
*  common name: www.bing.com
*  issuer: CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> Host: www.bing.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: none
> Sec-Fetch-User: ?1
> TE: Trailers
>
* ALPN: server accepted h2
* Received HTTP/0.9 when not allowed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
*

[coderb]

also, i just looked at the ff patch and it seems like curl_easy_impersonate seems to not set the option for false-start

[lwthiker]

It works fine on my machine.

I see that curl-impersonate fails to load libnssckbi.so on your machine, so it might be related:

* failed to load libnssckbi.so

Can you share more details about your setup? Did you install nss and have libnssckbi.so on your system? What Linux distribution are you using?

[coderb]

I'm using a fully patched standard debian system (bookworm). I fixed the libnssckbi.so error by installing the libnss-plugin-pem package and the issue remains.

Also, strangely I just checked https://github.com/lwthiker/curl-impersonate/blob/main/firefox/patches/curl-impersonate.patch and I don't see any call to enable CURLOPT_SSL_FALSESTART. Setting the option in code causes failure for me when using curl_easy_impersonate.

$ uname -a
Linux host 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux

$ dpkg -l | grep nss | grep -v openssh
ii  libnss-nis:amd64               3.1-4                          amd64        NSS module for using NIS as a naming service
ii  libnss-nisplus:amd64           1.3-4                          amd64        NSS module for using NIS+ as a naming service
ii  libnss-systemd:amd64           252.12-1~deb12u1               amd64        nss module providing dynamic user and group name resolution
ii  libnss3:amd64                  2:3.87.1-1                     amd64        Network Security Service libraries
ii  nss-plugin-pem:amd64           1.0.8+1-1                      amd64        PEM file reader for Network Security Services (NSS)
ii  openssl                        3.0.9-1                        amd64        Secure Sockets Layer toolkit - cryptographic utility


$ ./curl_ff102 -v --cacert /etc/ssl/certs/ca-certificates.crt https://www.bing.com/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 13.107.21.200:443...
* Connected to www.bing.com (13.107.21.200) port 443 (#0)
* Initializing NSS with certpath: none
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* Trying TLS False Start
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.bing.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US
*  start date: Jul 26 23:57:23 2023 GMT
*  expire date: Jan 22 23:57:23 2024 GMT
*  common name: www.bing.com
*  issuer: CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> Host: www.bing.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: none
> Sec-Fetch-User: ?1
> TE: Trailers
>
* ALPN: server accepted h2
* Received HTTP/0.9 when not allowed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* ```

[lwthiker]

Also, strangely I just checked https://github.com/lwthiker/curl-impersonate/blob/main/firefox/patches/curl-impersonate.patch and I don't see any call to enable CURLOPT_SSL_FALSESTART. Setting the option in code causes failure for me when using curl_easy_impersonate.

You are right, we should probably add that for consistency between the scripts and the library.

Anyway, assuming it's a curl issue, let's see if it gets resolved when upgrading to a more recent curl version (8.1.1). I hope to have a working version in the upcoming days.

[lwthiker]

Fixed in #185