Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http3: certificate lookup error #8696

Closed
Izorkin opened this issue Apr 11, 2022 · 1 comment
Closed

http3: certificate lookup error #8696

Izorkin opened this issue Apr 11, 2022 · 1 comment
Labels

Comments

@Izorkin
Copy link

Izorkin commented Apr 11, 2022

After upgrading curl from version 7.80 to 7.81 http3 connections stopped working.
Error:

curl --head --http3 -v https://cloudflare.com
*   Trying 2606:4700::6810:84e5:443...
* Connect socket 5 over QUIC to 2606:4700::6810:84e5:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 2606:4700::6810:85e5:443...
* Connect socket 6 over QUIC to 2606:4700::6810:85e5:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 104.16.133.229:443...
* Connect socket 0 over QUIC to 104.16.133.229:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 104.16.132.229:443...
* Connect socket 7 over QUIC to 104.16.132.229:443
* error setting certificate verify locations:  CAfile: none CApath: none
* Closing connection 0
curl: (96) error setting certificate verify locations:  CAfile: none CApath: none

Probably stopped working after this commit - c148f0f

Configure flags:

--without-ca-bundle 
--without-ca-path 
--with-ca-fallback 

On http2 protocol working:

*   Trying 2606:4700::6810:84e5:443...
* Connected to cloudflare.com (2606:4700::6810:84e5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Jun  4 00:00:00 2021 GMT
*  expire date: Jun  3 23:59:59 2022 GMT
*  subjectAltName: host "cloudflare.com" matched cert's "cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
...

When using the HTTP2 protocol, the certificate is searched through the SSL library. When using the HTTP3 protocol, the certificate search is not performed.

curl/libcurl version

[curl -V output]
curl 7.82.0 (x86_64-pc-linux-gnu) libcurl/7.82.0 OpenSSL/3.0.2 zlib/1.2.12 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.47.0 ngtcp2/0.4.0-DEV nghttp3/0.4.0-DEV
Release-Date: 2022-03-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd

operating system

NixOS 22.05 Unstable.

@bagder bagder added the HTTP/3 h3 or quic related label Apr 14, 2022
@bagder
Copy link
Member

bagder commented Apr 15, 2022

Seems correct, configure --with-ca-fallback is not supported by h3 (yet).

@bagder bagder added the build label Apr 15, 2022
@bagder bagder closed this as completed in 06fd973 May 6, 2022
bagder added a commit that referenced this issue May 10, 2022
Follow-up to b01f3e6 which added this for ngtcp2/openssl

Fixes #8696
Closes #....
bagder added a commit that referenced this issue May 11, 2022
Follow-up to b01f3e6 which added this for ngtcp2/openssl

Removed from KNOWN_BUGS

Fixes #8696
Closes #8830
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 participants