Bug: [SDKMAN does not work with curl 7.81.0]

[fcarbon]

Bug report I cannot update or install SDKMAN since I've updated curl to version 7.81.0. When I run: curl -s "https://get.sdkman.io" | bash Nothing gets installed. If I run: curl -sv "https://get.sdkman.io" | bash I get the following error:

• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=*.sdkman.io
• start date: Apr 10 00:00:00 2023 GMT
• expire date: Apr 10 23:59:59 2024 GMT
• subjectAltName does not match get.sdkman.io
• SSL: no alternative certificate subject name matches target host name 'get.sdkman.io'

It seems that curl cannot find a matching hostname 'get.sdkman.io' on the certificate.

To reproduce

Run: curl -sv "https://get.sdkman.io" | bash

This will display the following output:

$ curl -sv "https://get.sdkman.io" | bash

• Trying 45.55.42.78:443...
• Connected to get.sdkman.io (45.55.42.78) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.0 (OUT), TLS header, Certificate Status (22): } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data]
• TLSv1.2 (IN), TLS header, Certificate Status (22): { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data]
• TLSv1.2 (IN), TLS header, Finished (20): { [5 bytes data]
• TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [25 bytes data]
• TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Certificate (11): { [4580 bytes data]
• TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, CERT verify (15): { [264 bytes data]
• TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Finished (20): { [52 bytes data]
• TLSv1.2 (OUT), TLS header, Finished (20): } [5 bytes data]
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data]
• TLSv1.2 (OUT), TLS header, Supplemental data (23): } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Finished (20): } [52 bytes data]
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=*.sdkman.io
• start date: Apr 10 00:00:00 2023 GMT
• expire date: Apr 10 23:59:59 2024 GMT
• subjectAltName does not match get.sdkman.io
• SSL: no alternative certificate subject name matches target host name 'get.sdkman.io'
• Closing connection 0
• TLSv1.2 (OUT), TLS header, Supplemental data (23): } [5 bytes data]
• TLSv1.3 (OUT), TLS alert, close notify (256): } [2 bytes data]

System info

[marc0der]

Hi @fcarbon, I'd suggest upgrading to the latest version of curl. My local version is 8.1.2, so you seem quite far behind. FWIW, everything works perfectly on my machine and on our CI pipeline. The SSL certificate is also completely up to date and only expires in April 2024. I hope this helps!

[JanBessai]

Recently shipped Debian 12 (bookworm) comes with that version of curl: https://packages.debian.org/bookworm/curl

I have the same issues in a debian:12 based docker container. I'd appreciate if it could be fixed without jumping through too many hoops.

[marc0der]

@JanBessai Oddly, I do not see any such behaviour with Debian 12. Here are the step I took to replicate your issue:

$ docker run --rm -it debian:12 /bin/bash
$ apt update && apt install -y curl zip unzip
$ curl -s https://get.sdkman.io | bash
$ source /root/.sdkman/bin/sdkman-init.sh
$ sdk version
SDKMAN!
script: 5.18.2
native: 0.4.2
$ curl --version
curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3
Release-Date: 2023-02-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

Everything works as expected.

[JanBessai]

I tried to reproduce and found that some snake oil security software I am required to use on the host (FortiClient) is messing with ssl certificates (even inside containers). Sorry to bother you.

[marc0der]

Closing this issue as I see no bug here.