Closed Kangie closed 3 months ago
Would you be able to take a packet capture for this? Preferably of a TLS1.2 session -- so the certificate can be seen.
Do you have any transparent middleboxes between you and the internet?
Are you static linking rustls with curl or using the experimental dynamic linking support?
Would you be able to take a packet capture for this? Preferably of a TLS1.2 session -- so the certificate can be seen.
Sure. I'll see what I come up with.
Do you have any transparent middleboxes between you and the internet?
Not really. PC <-> Switch <-> Router (opnsense) <-> bridged modem <-> ISP network.
Other sites appear to work just fine using curl, TLS 1.2 or 1.3 - I don't know what it's not liking about Git.
Are you static linking rustls with curl or using the experimental dynamic linking support?
Dynamic linking.
curl 8.6.0 (x86_64-pc-linux-gnu) libcurl/8.6.0 rustls-ffi/0.10.0/rustls/0.21.0 zlib/1.3.1 zstd/1.5.5 c-ares/1.27.0 libpsl/0.21.5 nghttp2/1.60.0
Release-Date: 2024-01-31
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz PSL SSL threadsafe UnixSockets zstd
curl => /usr/bin/curl (interpreter => /lib64/ld-linux-x86-64.so.2)
libcurl.so.4 => /usr/lib64/libcurl.so.4
libcares.so.2 => /usr/lib64/libcares.so.2
libnghttp2.so.14 => /usr/lib64/libnghttp2.so.14
libpsl.so.5 => /usr/lib64/libpsl.so.5
libidn2.so.0 => /usr/lib64/libidn2.so.0
libunistring.so.5 => /usr/lib64/libunistring.so.5
librustls.so.0.10 => /usr/lib64/librustls.so.0.10
libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1
ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
libm.so.6 => /usr/lib64/libm.so.6
libzstd.so.1 => /usr/lib64/libzstd.so.1
libz.so.1 => /usr/lib64/libz.so.1
libc.so.6 => /usr/lib64/libc.so.6
curl 8.7.1 (x86_64-pc-linux-gnu) libcurl/8.7.1 rustls-ffi/0.12.1/rustls/0.22 zlib/1.3.1 zstd/1.5.5 c-ares/1.27.0 libpsl/0.21.5 nghttp2/1.60.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz PSL SSL threadsafe UnixSockets zstd
curl => /usr/bin/curl (interpreter => /lib64/ld-linux-x86-64.so.2)
libcurl.so.4 => /usr/lib64/libcurl.so.4
libcares.so.2 => /usr/lib64/libcares.so.2
libnghttp2.so.14 => /usr/lib64/libnghttp2.so.14
libpsl.so.5 => /usr/lib64/libpsl.so.5
libidn2.so.0 => /usr/lib64/libidn2.so.0
libunistring.so.5 => /usr/lib64/libunistring.so.5
librustls.so.0.12.1 => /usr/lib64/librustls.so.0.12.1
libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/13/libgcc_s.so.1
ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
libzstd.so.1 => /usr/lib64/libzstd.so.1
libz.so.1 => /usr/lib64/libz.so.1
libc.so.6 => /usr/lib64/libc.so.6
Are you static linking rustls with curl or using the experimental dynamic linking support?
Dynamic linking.
Does the problem reproduce with static linking? I have a hunch it won't.
This is likely unrelated to librustls and instead a regression in curl: https://github.com/curl/curl/issues/13229
It was also reported in Arch Linux for the regular curl package: https://gitlab.archlinux.org/archlinux/packaging/packages/curl/-/issues/6
Some initial investigation:
https://example.com
so I don't think it's related to Git endpoints but something broader:$ LD_LIBRARY_PATH=/tmp/librustls-0.13.0/lib ./src/curl https://example.com
curl: (60) rustls_connection_process_new_packets: invalid peer certificate: BadSignature
<snipped>
Makefile
, I get a curl binary that works as expected:$ ./src/curl https://example.com
<!doctype html>
<html>
<snipped>
$ CA_FILE=/etc/ssl/certs/ca-certificates.crt LD_LIBRARY_PATH=/tmp/librustls-0.13.0/lib ./target/client example.com 443 /
<snipped>
HTTP/1.1 200 OK
<snipped>
I think this points towards the issue being somewhere in the curl build process :thinking:
:wave: @kpcyrd Thanks for dropping in :-D Now it's a party.
This is likely unrelated to librustls and instead a regression in curl: https://github.com/curl/curl/issues/13229
Hmm. Possible! But my testing above is also showing the error when using curl + librustls.so with a plain HTTPS server.
Would you be able to take a packet capture for this? Preferably of a TLS1.2 session -- so the certificate can be seen.
Here's a pcap from a LD_LIBRARY_PATH=/tmp/librustls-0.13.0/lib ./src/curl --tlsv1.2 https://example.com
reproduction attempt from curl built with librustls 0.13.0 and dynamically linked that shows the BadSignature
error:
curl.dyn.librustls.0.13.0.pcapng.tar.gz
I don't know that it's very interesting. My feeling is the issue is the build and not the host given that I can't reproduce with our own test client :thinking:
I think this points towards the issue being somewhere in the curl build process 🤔
Another data-point in this direction:
If I step back to curl @ e3a4273 when @kpcyrd updated to 0.12 I'm able to get a build that dynamically links librustls 0.13 to work without error (there were no meaningful API changes between 0.12 and 0.13 for curl).
Maybe someone can bisect what might have changed curl side that would break using rustls as a .so?
I also filed a bug about a regression in the curl build process, although it seems this was eventually fixed: https://github.com/curl/curl/issues/13200
I didn't do any testing with 0.13.0 yet.
Could you try curl 8.7.1 with https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb reverted (together with rustls-ffi 0.12.2)?
although it seems this was eventually fixed: https://github.com/curl/curl/issues/13200
My suspicion is that this fix is sufficient for the build to complete, but that it has some remaining issues when using dynamic linking with rustls.
Could you try curl 8.7.1 with https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb reverted (together with rustls-ffi 0.12.2)?
Sure!
I tried to revert https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb but there were conflicts and it's too early on a Sunday morning for me to try and figure out M4 merge conflicts :laughing:
I did the next best thing and used the parent commit before that change landed: https://github.com/curl/curl/commit/b564a5f5d5280387a88025c5f90260017847add4
Using curl at that commit + librustls 0.12.2 dynamically linked works as expected.
Is this conclusive enough for us all to agree that the issue doesn't appear to be in rustls-ffi, but is something specific to curl after https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb, when using dynamic linking?
I tried to revert https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb but there were conflicts and it's too early on a Sunday morning for me to try and figure out M4 merge conflicts 😆
After some additional coffee I realized if I reverted https://github.com/curl/curl/commit/9c4209837094781d5eef69ae6bcad0e86b64bf99 and then https://github.com/curl/curl/commit/647e86a3efe1eea7a2a456c009cfe1eb55fe48eb there would be no conflicts.
Doing that with the tip of master of curl
I'm able to use Rustls-ffi 0.12.2 dynamically linked without error. I'll bring this info over to https://github.com/curl/curl/issues/13200
I'm going to close this so we can consolidate discussion in https://github.com/curl/curl/issues/13200 and https://github.com/curl/curl/issues/13248
I don't believe there's any information at this point that indicates an issue with rustls-ffi itself.
Thanks all!
Circling back here to close the loop: the issue appears to have been an accidental regression in configuration upstream when using pkg-config that meant no default ca-certificate bundle was set. The BadSignature
error seems confusing and certainly prolonged this investigation. I'll chase that separately over in https://github.com/rustls/rustls-ffi/issues/409.
I did this
I have used GitHub as an example here, but GitLab and Bitbucket also failed in the same way.
I expected the following
A successful git https request.
curl/libcurl version
curl 8.7.1 (x86_64-pc-linux-gnu) libcurl/8.7.1 rustls-ffi/0.12.1/rustls/0.22 zlib/1.3.1 zstd/1.5.5 c-ares/1.27.0 libpsl/0.21.5 nghttp2/1.60.0 Release-Date: 2024-03-27 Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz PSL SSL threadsafe UnixSockets zstd
curl 8.6.0 (x86_64-gentoo-linux-musl) libcurl/8.6.0 rustls-ffi/0.10.0/rustls/0.21.0 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 Release-Date: 2024-01-31 Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz PSL SSL threadsafe UnixSockets
operating system
Gentoo Linux
configure opts
See Also: