Closed jcamiel closed 2 months ago
When HTTP connections are reused, we can't have certificate information on the reused transfer:
With this Hurl file:
GET https://google.fr HTTP * GET https://google.fr HTTP * [Asserts] certificate "Expire-Date" daysAfterNow > 100
Executing:
error: Filter error --> /tmp/google.hurl:8:27 | | GET https://google.fr | ... 8 | certificate "Expire-Date" daysAfterNow > 100 | ^^^^^^^^^^^^ missing value to apply filter |
When looking at libcurl debug logs:
* ------------------------------------------------------------------------------ * Executing entry 2 * * Cookie store: * * Request: * GET https://google.fr * * Request can be run with the following curl command: * curl 'https://google.fr' * ** WARNING: failed to open cookie file "" ** Found bundle for host: 0x600002724b70 [can multiplex] ** Re-using existing connection with host google.fr ** [HTTP/2] [3] OPENED stream for https://google.fr/ ** [HTTP/2] [3] [:method: GET] ** [HTTP/2] [3] [:scheme: https] ** [HTTP/2] [3] [:authority: google.fr] ** [HTTP/2] [3] [:path: /] ** [HTTP/2] [3] [accept: */*] ** [HTTP/2] [3] [user-agent: hurl/4.3.0]
The pb seems that, when reusing connection, libcurl doesn't expose certificate through CURLOPT_CERTINFO.
CURLOPT_CERTINFO
We can reproduce it with this main.c file:
#include <stdio.h> #include <curl/curl.h> void print_cert(CURL* curl) { int i; struct curl_certinfo *ci; CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci); if (res) { fprintf(stderr, "Error calling CURLINFO_CERTINFO"); return; } fprintf(stderr, "%d certs!\n", ci->num_of_certs); for (i = 0; i < ci->num_of_certs; i++) { struct curl_slist *slist; for (slist = ci->certinfo[i]; slist; slist = slist->next) fprintf(stderr, "%s\n", slist->data); } } int main(void) { CURL *curl = curl_easy_init(); if (!curl) { return 1; } CURLcode res; curl_easy_setopt(curl, CURLOPT_URL, "https://google.com"); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); fprintf(stderr, "=================="); res = curl_easy_perform(curl); if (!res) { print_cert(curl); } fprintf(stderr, "=================="); res = curl_easy_perform(curl); if (!res) { print_cert(curl); } curl_easy_cleanup(curl); }
$ gcc -L/opt/homebrew/opt/curl/lib -l curl main.c -o main $ ./main 2>&1 >/dev/null | grep certs 3 certs! 0 certs!
The second call doesn't contains SSL certificates.
Sent mail in libcurl mailing list => https://curl.se/mail/lib-2024-07/0007.html
When HTTP connections are reused, we can't have certificate information on the reused transfer:
With this Hurl file:
Executing:
When looking at libcurl debug logs:
The pb seems that, when reusing connection, libcurl doesn't expose certificate through
CURLOPT_CERTINFO
.We can reproduce it with this main.c file:
The second call doesn't contains SSL certificates.