wolfssl RSA cert verify error for ios arm64 and android arm32

[calvin2021y]

curl/libcurl version

I test master branch and 8_1_2, has the same error.

Test wolfssl 5.6.2, 5.6.3.

the error throw from CURL this line.

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 2928728..6938cb2 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -788,7 +788,7 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
     else if(ASN_NO_SIGNER_E == detail) {
       if(conn_config->verifypeer) {
         failf(data, " CA signer not available for verification");
-        return CURLE_SSL_CACERT_BADFILE;
+        return CURLE_SSL_CACERT_BADFILE;
       }
       else {
         /* Just continue with a warning if no strict certificate

I use CURLOPT_SSL_CTX_FUNCTION to load cert from memory.

CURLcode curl_sslctx_function(CURL *curl, void *sslctx, void *parm)
{
    CURLcode rv = CURLE_ABORTED_BY_CALLBACK;
    int line = 0;
    (void)curl;
    (void)parm;
    switch(1) default : {
        int e = wolfSSL_CTX_load_verify_buffer(sslctx, (const unsigned char *) pem_ptr, pem_len, SSL_FILETYPE_PEM);
        if ( e != SSL_SUCCESS ) {
            line = 4;
            break;
        }
        rv = CURLE_OK;
    }
    return rv;
}

Other platform confirm work, ios amr64 and andoird arm32 also work before. not sure the new CURL and wolfSSL which one cause this error.

I need some advise to help me to debug this out.

cloud be related

confirm the https://github.com, https://1.1.1.1 work. https://8.8.8.8 and other RSA certs not work.

try http1 and http2 by add CURLOPT_HTTP_VERSION, problem still exists.

operating system

Ios & android.

[calvin2021y]

for IOS arm64:

CURL:

 --host=arm-apple-darwin --enable-static --disable-shared --enable-verbose --disable-versioned-symbols --enable-hidden-symbols --enable-dnsshuffle --enable-http --enable-cookies --enable-alt-svc --enable-ipv6 --enable-proxy --disable-mqtt --disable-ftp --disable-largefile --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-libcurl-option --disable-sspi --disable-crypto-auth --disable-ntlm-wb --disable-tls-srp --disable-unix-sockets --without-librtmp --without-libidn2 --without-zsh-functions-dir --with-zlib --without-nss --without-gnutls --without-winssl --without-amissl --without-cyassl --without-schannel --without-mbedtls --with-wolfssl --without-openssl --without-ca-path --without-ca-bundle --without-ca-fallback --without-libpsl --without-zsh-functions-dir --without-fish-functions-dir --with-nghttp2 --without-ngtcp2 --without-nghttp3 --without-quiche --enable-doh --without-zstd --without-brotli --enable-websockets --enable-ares --disable-threaded-resolver

wolfSSL

--enable-shared=no --enable-harden --enable-filesystem=no --enable-pwdbased=no --enable-ip-alt-name --enable-sni --enable-alpn --enable-truncatedhmac --enable-earlydata --enable-tlsv10=no --enable-oldtls=yes --enable-tlsv12=yes --enable-tls13 --enable-rsa --enable-psk-one-id --enable-session-ticket --enable-savesession --enable-sessioncerts --enable-rng --enable-aescbc=yes --enable-aescfb=no --enable-aesccm=no --enable-aesctr=no --enable-aesctr=no --enable-maxfragment=yes --enable-blake2=no --enable-blake2s=no --enable-hkdf=no --enable-sys-ca-certs=no --enable-examples=no --enable-crypttests=no --enable-singlethreaded=no --enable-asynccrypt=no --enable-asyncthreads=no --enable-sha384 --enable-asm=yes --enable-fastmath --enable-bigcache --enable-curl --enable-curve25519=yes --enable-ed25519=yes --enable-crl=no --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-hrrcookie=no --host=arm-apple-darwin

android use similar configuration

[bagder]

Can you please provide a full example that reproduces this?

[bagder]

It looks like you submitted the same issue with wolfSSL ?

[calvin2021y]

Yes, I am not sure it is a CURL error or wolfSSL error.

[bagder]

confirm the https://github.com/, https://1.1.1.1/ work

These work fine with curl and wolfSSL from git master on my x86-64 on Linux. I don't think this is a curl problem.

(can't test on android/ios)

[calvin2021y]

what cause this ?

ALPN: offers h2,http/1.1
Didn't find Session ID in cache for host HTTPS://
SSL_connect failed with error -313: received alert fatal error
multi_done: status: 35 prem: 1 done: 0
multi_done, not re-using connection=4, forbid=0, close=0, premature=1, conn_multiplex=0
The cache now contains 3 members
Curl_disconnect(conn #4, dead=1)
Closing connection
Expire cleared

There seems no internet yet, because time is 0ms to get this error.

[dfandrich]

Didn't find Session ID in cache for host HTTPS://

It should be logging a host name here after the HTTPS://. Are you sure there's a valid URL being passed in?

[calvin2021y]

Yes, I dont want to leak the domain.

The error seems come before network. I will use wireshark to confirme.

[calvin2021y]

I report false information because CURL give the zero time cost by CURLINFO_TOTAL_TIME_T and CURLINFO_CONNECT_TIME_T. (there is a DNS cache inused)

With wireshark report server return this:

Frame 6: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface en0, id 0
Ethernet II, Src: BeijingX_4c:fe:54 (28:d1:27:4c:fe:54), Dst: Apple_05:34:c0 (3c:7d:0a:05:34:c0)
Internet Protocol Version 4, Src: 43.155.24.14, Dst: 192.168.128.121
Transmission Control Protocol, Src Port: 443, Dst Port: 59447, Seq: 1, Ack: 292, Len: 7
Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Internal Error (80)

[bagder]

I don't see how this is at all related to RSA certs.

[bagder]

I don't think this is a curl problem and no further data has been provided to point at it being so.