Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

Closed
eloydegen opened this issue Sep 24, 2022 · 4 comments
Closed

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

eloydegen opened this issue Sep 24, 2022 · 4 comments
Labels
HTTP/3 h3 or quic related

Comments

@eloydegen
Copy link

Although I am using pycurl and not directly calling the libcurl API from C, I think this is the most appropriate place to report the bug. According to the documentation, only OpenSSL is supported. This uses the BoringSSL fork with the Quiche library for QUIC. I suspect that it could be a missing API in Quiche, but I'm not sure.

I did this

import pycurl
from pprint import pprint

TEST_URL = 'https://facebook.com'

def certinfo_demo(url=TEST_URL):
    c = pycurl.Curl()
    c.setopt(pycurl.URL, url)
    c.setopt(pycurl.WRITEFUNCTION, lambda x: None)
    c.setopt(pycurl.VERBOSE, True)
    c.setopt(pycurl.OPT_CERTINFO, True)
    c.setopt(pycurl.HTTP_VERSION, c.CURL_HTTP_VERSION_3)
    c.perform()
    return c.getinfo(pycurl.INFO_CERTINFO)

if '__main__' == __name__:
    pprint(certinfo_demo())

I expected the following

I expected it to print the certificate information. When the c.setopt(pycurl.HTTP_VERSION, c.CURL_HTTP_VERSION_3) line is removed, it works fine. I was using a local test server but replace it with Facebook to make it reproducible. It prints an empty list when using HTTP/3.

curl/libcurl version

PycURL/7.45.1 libcurl/7.86.0-DEV BoringSSL quiche/0.14.0

operating system

Fedora Linux 36, in a Python venv
@bagder bagder added the HTTP/3 h3 or quic related label Sep 24, 2022
@bagder bagder changed the title OPT_CERTINFO not working with HTTP/3 using Quiche CURLOPT_CERTINFO not working with HTTP/3 using Quiche Sep 24, 2022
@bagder
Copy link
Member

bagder commented Sep 24, 2022

First double-check that the correct and same logic is done in libcurl for the QUIC case as it is for normal TLS when this option is set.

@bagder
Copy link
Member

bagder commented Sep 26, 2022
edited

I built curl from git master right now using quiche from their master, using the certinfo example, and it worked fine for me! And I don't think this is due to any recent changes done in curl at least.

The problem reproduces for me against https://curl.se

@bagder
Copy link
Member

bagder commented Sep 26, 2022

The reason for this problem is that no QUIC code calls the necessary get_cert_chain() function which is also static in lib/vtls/openssl.c...

@bagder
Copy link
Member

bagder commented Sep 26, 2022

This problem exists for all QUIC backends.

@bagder bagder changed the title CURLOPT_CERTINFO not working with HTTP/3 using Quiche CURLOPT_CERTINFO not working with HTTP/3 (either backend) Sep 26, 2022
bagder added a commit that referenced this issue Sep 26, 2022
@bagder
openssl: make certinfo available for QUIC
5e8bed2 
Curl_get_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the certain for QUIC
connections as well.

The *certchain function was moved to the top of the file for this reason.

Reported-by: Eloy Degen
Fixes #9584
@bagder bagder mentioned this issue Sep 26, 2022
Closed
bagder added a commit that referenced this issue Sep 26, 2022
@bagder
openssl: make certinfo available for QUIC
e814cf0 
Curl_get_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
connections as well.

The *certchain function was moved to the top of the file for this reason.

Reported-by: Eloy Degen
Fixes #9584
bagder added a commit that referenced this issue Sep 27, 2022
@bagder
openssl: make certinfo available for QUIC
7ec7c7a 
Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
connections as well.

The *certchain function was moved to the top of the file for this reason.

Reported-by: Eloy Degen
Fixes #9584
Closes #9597
@bagder bagder closed this as completed in 58acc69 Sep 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
HTTP/3 h3 or quic related
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: make certinfo available for QUIC curl/curl
2 participants
@bagder @eloydegen