Open ading2210 opened 3 weeks ago
Hi @ading2210 ,
My name is Anthony and I am a member of the wolfSSL team. I have reproduced what you are seeing but I did not add --enable-distro
to the wolfssl configure command and I needed to add --without-libpsl
to the curl configure command. Either I or another engineer will look into this.
In the meantime, can you let us know a bit about yourself and your project. Here at wolfSSL we love to know how people are using our code. Can I ask where you are located and what your goals are?
Warm regards, Anthony
I also had to add --enable-scp
to the wolfssl configuration but even then I was still getting the same error. Still investigating.
Hey @ading2210
I just took over this ticket, since Anthony is traveling this week, so I'm going through your logs (by the way, thanks for providing all the info to reproduce it right away). While I investigate the issue, do you mind sharing a bit more about the project that you are working on and what your goals are? Just to get more context.
Thanks and warm regards, Reda Chouk
Hi @gasbytes
The project that I am using WolfSSL for is a port of the libcurl C library to WebAssembly. WolfSSL is used here to provide TLS support while having the smallest file size, and even when it's compiled to WASM (something that I don't think was ever officially supported), it works really well for this purpose. Most people using my project are using it to proxy HTTPS requests in the browser (as sort of an encrypted CORS proxy), and thus I need the compatibility to be as good as possible. I actually found out about this bug because of a report from a user of my library, and I eventually traced the issue to WolfSSL.
Thanks, Allen
Hey @ading2210
Thanks for the info, seems like a cool project. I'm still investigating, but I might have found the problem and I'm currently working on a fix.
Thanks, Reda Chouk
Hey @ading2210,
Seems like in the file /etc/ssl/cert.pem
it was missing Certainly as trusted CA, that explain why wolfssl returns to curl ASN_NO_SIGNER_E
, which means that it couldn't verify Certainly as a trusted authority, hence the error.
We don't manage CA's, that's usually up to the customer/user and their system-wide certificate store. The usual solution is to provide the certificate in question at run time.
Curl has a really nice flag that lets you provide the certificates directly from command line: --cacert
.
To fix the issue, first you need to get the certificate, you can easily extract it and save it locally using openssl like so:
$ openssl s_client -showcerts -connect open.spotify.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > certainly_cert.pem
after this, you can provide the certificate to curl like so, and you will receive the payload correctly:
$ src/curl -4 "https://open.spotify.com/" -v --cacert certainly_cert.pem
* Host open.spotify.com:443 was resolved.
* IPv6: (none)
* IPv4: 151.101.87.42
* Trying 151.101.87.42:443...
* ALPN: curl offers http/1.1
* successfully set certificate verify locations:
* CAfile: certainly_cert.pem
* CApath: none
* ALPN: server accepted http/1.1
* SSL connection using TLSv1.3 / TLS13-AES128-GCM-SHA256
* Connected to open.spotify.com (151.101.87.42) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: open.spotify.com
> User-Agent: curl/8.11.0-DEV
> Accept: */*
...
Let me know if this solution works for you! If you run into any further issues or need more help with curl or certificates, feel free to reach out.
Warm regards, Reda Chouk
Thanks, this workaround seems to work for me. Though I'm not sure as to why curl with OpenSSL works fine here without any workaround, because in both cases the system certificate store was used but curl with OpenSSL was able to connect just fine. The same is the case if I use the CA cert bundle provided by curl themselves (which was extracted from Firefox's source code). I'm not sure if I'm misunderstanding something here, but it seems to me that needing to add another CA cert for this to work is unexpected behavior.
Hello @ading2210
Sorry for the late answer. I wanted to ask you if adding, given your current available sys certificates, to the wolfssl config this flag:
--enable-altcertchains
From my understanding OpenSSL takes a relaxed approach when validating the peer certificates, using --enable-altcertchains
it should match this behaviour.
Another possibility is that openssl may be loading the default system CA certs, and to match that behaviour it would require --enable-sys-ca-certs
and also calling wolfSSL_CTX_load_system_CA_certs
.
Let me know if this fixes the issue without needing to add the missing intermediate certificate R1 to the store.
Warm regards, Reda Chouk
Contact Details
allen@ading.dev
Version
Latest from git, commit 429e7c7
Description
Curl with WolfSSL is failing when trying to connect to open.spotify.com with the following error:
I'm not sure if there are other websites which cause the same error.
open.spotify.com
is the only one I can reproduce the issue with.Curl version info:
I am fairly sure the underlying issue is with WolfSSL since the request works fine in curl with OpenSSL.
When using OpenSSL:
My configure command:
Target environment:
Reproduction steps
Compile WolfSSL from the latest source:
Compile Curl from the latest source using WolfSSL:
Try to download
https://open.spotify.com
and observe the error:Relevant log output