curl_easy_perform gives error code CURLE_SSL_CACERT

[ryfactor]

emlai:global-hall-of-fame branch only

Happens on windows build. Built on MinGW to create .exe.

How can this be?

N.B. MSYS seems to work ok on windows and submits/reads high scores, so not sure if this is because of compiler reasons or server reasons.

[ryfactor]

Anyone want to play: ivan.zip

[andrewtweber]

Where is the hall of fame hosted? I assume it's on https.

Curl checks if the server's SSL has an intermediate certificate that it trusts. Usually a bunch of intermediate certs from well known hosts are stored in a file called ca-bundle.crt.

So either the server is using a self-signed SSL certificate or an obscure SSL provider, or Curl is simply missing the bundle of trusted intermediate certs

[emlai]

@andrewtweber: https://ivan-hall-of-fame.herokuapp.com

[andrewtweber]

Looks good to me. So lib_curl is simply missing the intermediate cert bundle

[andrewtweber]

@fejoa Several options here

https://curl.haxx.se/docs/sslcerts.html

[ryfactor]

@andrewtweber I tried option 1 from your link which was to add curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); in here https://github.com/emlai/ivan/blob/global-hall-of-fame/FeLib/Source/hscore.cpp#L310 and it displays the global highscores now.

My question is, is this evil for the user? Like, does it open some backdoor?

[ryfactor]

I add same line curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); here: https://github.com/emlai/ivan/blob/global-hall-of-fame/FeLib/Source/hscore.cpp#L408 and successfully submit hi-score!

So we know it has something to do with certificates.

Next issue is submitting password returns CURLcode response (or Res) = 60 and CURLINFO_RESPONSE_CODE = 0 under normal condition. I get incorrect username or password message.

I get CURLcode Res = 60 and CURLINFO_RESPONSE_CODE = 401 when I add curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); here: https://github.com/emlai/ivan/blob/global-hall-of-fame/FeLib/Source/hscore.cpp#L353

@emlai, is passwording set up at the moment?

[ryfactor]

@andrewtweber I re-read your first comment and I think I understand better. If we use option 2, then do we need only point the capath in curl_easy_setopt(curl, CURLOPT_CAPATH, capath); to the ca-bundle.crt on the client?

[emlai]

@fejoa Yes, passwords should work if registered here.

[andrewtweber]

@fejoa

Disabling the verification is... probably ok. At least in our case, we know what domain we're hitting and we know that it's trusted. It would be different if there were multiple hiscore servers and we didn't know where they were hosted. But it's still a little questionable - if for some reason Heroku were compromised then the encrypted data could be read by somebody else.

But yes, setting the capath is a safer option and should hopefully be simple.

[andrewtweber]

I'm just excited that for once my web/server knowledge is coming in handy :D

[ryfactor]

Ok epic breakthrough guys, I used curl_easy_setopt(Curl, CURLOPT_CAINFO, "C:\\path\\to\\ivan\\cacert.pem"); to direct curl to the certificate cacert.pem. ^1 When we implement it, it will need a few #ifdef(WIN32) preprocessor directives, but it should be clean for cross-platform. I got cacert.pem from here: https://curl.haxx.se/docs/caextract.html

Everything works. Viewing high scores, adding high scores, and checking usernames and passwords. This means I also have full compile and run capability for WIN32 binaries to produce IVAN versions compatible with the high score server.

My one remaining question is: Is it common for apps to ship with certificates that are stored locally in the filesystem? Or should curl be told to look in say, the nearest web browser certificate pile for trusted certificates? My plan for now is to ship the cacert.pem file, along with the other bunch of necessary .dll files that stubbornly refuse to compile statically.

---

^1 This link helped: http://stackoverflow.com/questions/15702436/ios-curl-unable-to-get-local-issuer-certificate

[ryfactor]

@emlai do you plan to merge the hiscore server into the main development branch? We could pilot on 0.50.9 and then polish it ready for a stable release of 0.51?

[emlai]

I was thinking I should add some authentication to prevent fake score submissions before merging. But of course we can merge it before that as well. Should we?

[ryfactor]

I think next release should be in June, so there's no rush. Authentication would be desirable. Just merge as soon as you feel happy to, I reckon.

[ryfactor]

@emlai what's your latest thoughts on this front? Shall we merge what we've got and then implement authentication for 0.51?