Unable to connect to Cloudfront from MacOSX client

问题

My multi-platform client, written in C++ and built on cURL, should download a file from Cloudfront. On Windows, the download works fine with libcurl 7.40.0 and OpenSSL 1.0.2c. On MacOSX:

• the file served via "direct" Amazon AWS link is correctly downloaded;
• the file served via Cloudfront link cannot be downloaded: CURL error after the call is set to CURLE_SSL_CONNECT_ERROR, and debug informations show that the protocol breaks during SSL handshake.

The file is correctly downloaded also via curl command from MacOSX bash (version 7.54.0).

I am linking against the cURL version installed on my iMac (version 7.54.0 with security layer provided by zlib version 1.2.8). The version supports SSL and TLSv1.2 (as can be seen when performing AWS download).

I am at my wit's end: TLSv1.2 is supported and should be enabled during communication with Cloudfront. Is there something else that I forgot?

Thank you in advance for your help. MWE and responses from both servers follow.

---

Minimum working example (urls faked):

#include "curl/curl.h"

#define URLDOWNLOAD "https://x.cloudfront.net/file.file?Expires=123&Signature=456&Key-Pair-Id=789"
#define AWSURLDOWNLOAD "https://x.amazonaws.net/file.file?Expires=123&Signature=456&Key-Pair-Id=789"

int main(int argc, const char * argv[]) {

    curl_global_init(CURL_GLOBAL_ALL);

    CURL* curl = curl_easy_init();

    curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, false);
    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);

    curl_easy_setopt(curl, CURLOPT_TCP_KEEPALIVE, true);
    curl_easy_setopt(curl, CURLOPT_TCP_KEEPIDLE, 30);
    curl_easy_setopt(curl, CURLOPT_TCP_KEEPINTVL, 5);

    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
    curl_easy_setopt(curl, CURLOPT_RANGE, "0-");
    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

    curl_easy_setopt(curl, CURLOPT_TCP_KEEPINTVL, 2);

    // with URLDOWNLOAD the call fails. With AWSURLDOWNLOAD the call is successful.
    curl_easy_setopt(curl, CURLOPT_URL, URLDOWNLOAD);

    CURLcode error = curl_easy_perform(curl);

    curl_easy_reset(curl);

    return 0;
}

---

The debug informations when downloading from AWS:

*   Trying ip...
* TCP_NODELAY set
* Connected to x.amazonaws.com (ip) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.x.amazonaws.com
* Server certificate: DigiCert Baltimore CA-2 G2
* Server certificate: Baltimore CyberTrust Root
> GET /FILE?X-Amz-Expires=431861&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AQ/20170814/aws4_request&X-Amz-Date=20170814T090903Z&X-Amz-SignedHeaders=host&X-Amz-Signature=0eb HTTP/1.1
Host: x.amazonaws.com
Range: bytes=0-100
Accept: */*

< HTTP/1.1 206 Partial Content
< x-amz-id-2: Q/0/xjrH4tNKcJU=
< x-amz-request-id: 92CEA7A5E6AB
< Date: Mon, 14 Aug 2017 14:32:46 GMT
< Last-Modified: Tue, 16 May 2017 22:15:57 GMT
< ETag: "9d57e32d88c89a-55"
< x-amz-meta-cb-modifiedtime: Tue, 16 May 2017 22:13:27 GMT
< Accept-Ranges: bytes
< Content-Range: bytes 0-100/566567658
< Content-Type: application/octet-stream
< Content-Length: 101
< Server: AmazonS3
<
\246ՙ\30\363\360т.C\375\205\211\327\327\343\204\320\224\3404\327dͩ\3362\\306\354%%\214}"\3171\216\362}La\245U\304}\260\223\205\332\335 ]\314\330\300
* Curl_http_done: called premature == 0
* Connection #0 to host x.amazonaws.com left intact

---

The debug informations when downloading from Cloudfront:

*   Trying ip...
* TCP_NODELAY set
* Connected to x.cloudfront.net (ip) port 443 (#0)
* SSL peer handshake failed, the server most likely requires a client certificate to connect
* Curl_http_done: called premature == 1
* Closing connection 0

The two calls are made with the exact same linked library

来源：https://stackoverflow.com/questions/45677925/unable-to-connect-to-cloudfront-from-macosx-client