CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

eloydegen · 2022-09-24T11:35:01Z

Although I am using pycurl and not directly calling the libcurl API from C, I think this is the most appropriate place to report the bug. According to the documentation, only OpenSSL is supported. This uses the BoringSSL fork with the Quiche library for QUIC. I suspect that it could be a missing API in Quiche, but I'm not sure.

I did this

import pycurl
from pprint import pprint

TEST_URL = 'https://facebook.com'

def certinfo_demo(url=TEST_URL):
    c = pycurl.Curl()
    c.setopt(pycurl.URL, url)
    c.setopt(pycurl.WRITEFUNCTION, lambda x: None)
    c.setopt(pycurl.VERBOSE, True)
    c.setopt(pycurl.OPT_CERTINFO, True)
    c.setopt(pycurl.HTTP_VERSION, c.CURL_HTTP_VERSION_3)
    c.perform()
    return c.getinfo(pycurl.INFO_CERTINFO)

if '__main__' == __name__:
    pprint(certinfo_demo())

I expected the following

I expected it to print the certificate information. When the c.setopt(pycurl.HTTP_VERSION, c.CURL_HTTP_VERSION_3) line is removed, it works fine. I was using a local test server but replace it with Facebook to make it reproducible. It prints an empty list when using HTTP/3.

curl/libcurl version

PycURL/7.45.1 libcurl/7.86.0-DEV BoringSSL quiche/0.14.0

operating system

Fedora Linux 36, in a Python venv

The text was updated successfully, but these errors were encountered:

bagder · 2022-09-24T21:30:14Z

First double-check that the correct and same logic is done in libcurl for the QUIC case as it is for normal TLS when this option is set.

bagder · 2022-09-26T12:58:18Z

I built curl from git master right now using quiche from their master, using the certinfo example, and it worked fine for me! And I don't think this is due to any recent changes done in curl at least.

The problem reproduces for me against https://curl.se

bagder · 2022-09-26T13:11:39Z

The reason for this problem is that no QUIC code calls the necessary get_cert_chain() function which is also static in lib/vtls/openssl.c...

bagder · 2022-09-26T13:15:28Z

This problem exists for all QUIC backends.

Curl_get_certchain() is now an exported function in lib/vtls/openssl.c that can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC connections as well. The *certchain function was moved to the top of the file for this reason. Reported-by: Eloy Degen Fixes #9584

Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC connections as well. The *certchain function was moved to the top of the file for this reason. Reported-by: Eloy Degen Fixes #9584 Closes #9597

bagder added the HTTP/3 label Sep 24, 2022

bagder changed the title ~~OPT_CERTINFO not working with HTTP/3 using Quiche~~ CURLOPT_CERTINFO not working with HTTP/3 using Quiche Sep 24, 2022

bagder changed the title ~~CURLOPT_CERTINFO not working with HTTP/3 using Quiche~~ CURLOPT_CERTINFO not working with HTTP/3 (either backend) Sep 26, 2022

bagder mentioned this issue Sep 26, 2022

openssl: make certinfo available for QUIC #9597

Closed

bagder closed this as completed in 58acc69 Sep 27, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

eloydegen commented Sep 24, 2022

bagder commented Sep 24, 2022

bagder commented Sep 26, 2022 •

edited

Loading

bagder commented Sep 26, 2022

bagder commented Sep 26, 2022

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

CURLOPT_CERTINFO not working with HTTP/3 (either backend) #9584

Comments

eloydegen commented Sep 24, 2022

I did this

I expected the following

curl/libcurl version

operating system

bagder commented Sep 24, 2022

bagder commented Sep 26, 2022 • edited Loading

bagder commented Sep 26, 2022

bagder commented Sep 26, 2022

bagder commented Sep 26, 2022 •

edited

Loading