Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CURLSSLOPT_NATIVE_CA not resolving certificates correctly in all cases. #48

Open
p2004a opened this issue Jan 21, 2023 · 2 comments
Open

CURLSSLOPT_NATIVE_CA not resolving certificates correctly in all cases. #48

p2004a opened this issue Jan 21, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@p2004a
Copy link
Collaborator

p2004a commented Jan 21, 2023

When the windows installation is fresh (Can be simulated using Windows Sandbox), curl has issue with validating certificate for repos-cdn.beyondallreason.dev domain. Workaround is to load once https://repos-cdn.beyondallreason.dev/ in Edge or Internet Explorer and then certificate validation works just fine.

I believe this is upstream bug in curl: Next steps are to build minimal reproducible example, gather more data, and report upstream.
@p2004a p2004a added the bug Something isn't working label Jan 21, 2023
p2004a added a commit to beyond-all-reason/spring-launcher that referenced this issue Jan 21, 2023
@p2004a
Add workaround for pr-downloader SSL cert resolution bug on Windows.
439a9b7 
Bundle the root certificates from https://curl.se/ca/cacert.pem instead
of depending on system certificate until
beyond-all-reason/pr-downloader#48 gets
resolved in the pr-donwloader. Once resolved, this commit should be
reverted.
@p2004a
Copy link
Collaborator Author

p2004a commented Dec 15, 2023

I believe this is now mentioned on curl issue tracker in curl/curl#12303

I thought that maybe updating curl will resolve it, but no. Yes, we are using OpenSSL.

I have also some minimal example:

  • Start Windows Sandbox
  • Run pr-downloader and it will resolve with SSL peer certificate or SSH remote key was not OK 0 (https://repos.springrts.com/repos.gz), aborting
  • Run regular official curl build that uses libressl: it succeeds
  • Run pr-downloader: still fails
  • Run the windows build-in curl that uses a different tls backend: succeeds
  • Run pr-downloader: it magically start to work correctly.

Next step: try switching our curl build to LibreSSL and see if it resolves this issue, need to also confirm that switching to LibreSSL is not a problem for anything.

@p2004a
Copy link
Collaborator Author

p2004a commented Dec 16, 2023

Correction: official curl build also fails. It succeeded because it failed back to the certificate bundle. Without certificate bundle, behavior is the same as pr-downloader.

So, switching to LibreSSL won't help. Switching to native schannel build might resolve this, so that's a valid option to consider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p2004a