-
Notifications
You must be signed in to change notification settings - Fork 835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Curl with WolfSSL fails when connecting to open.spotify.com - CA signer not available for verification #8137
Comments
Hi @ading2210 , My name is Anthony and I am a member of the wolfSSL team. I have reproduced what you are seeing but I did not add In the meantime, can you let us know a bit about yourself and your project. Here at wolfSSL we love to know how people are using our code. Can I ask where you are located and what your goals are? Warm regards, Anthony |
I also had to add |
Hey @ading2210 I just took over this ticket, since Anthony is traveling this week, so I'm going through your logs (by the way, thanks for providing all the info to reproduce it right away). Thanks and warm regards, |
Hi @gasbytes The project that I am using WolfSSL for is a port of the libcurl C library to WebAssembly. WolfSSL is used here to provide TLS support while having the smallest file size, and even when it's compiled to WASM (something that I don't think was ever officially supported), it works really well for this purpose. Most people using my project are using it to proxy HTTPS requests in the browser (as sort of an encrypted CORS proxy), and thus I need the compatibility to be as good as possible. I actually found out about this bug because of a report from a user of my library, and I eventually traced the issue to WolfSSL. Thanks, |
Hey @ading2210 Thanks for the info, seems like a cool project. Thanks, |
Hey @ading2210, Seems like in the file We don't manage CA's, that's usually up to the customer/user and their system-wide certificate store. The usual solution is to provide the certificate in question at run time. Curl has a really nice flag that lets you provide the certificates directly from command line: To fix the issue, first you need to get the certificate, you can easily extract it and save it locally using openssl like so: after this, you can provide the certificate to curl like so, and you will receive the payload correctly:
Let me know if this solution works for you! If you run into any further issues or need more help with curl or certificates, feel free to reach out. Warm regards, |
Thanks, this workaround seems to work for me. Though I'm not sure as to why curl with OpenSSL works fine here without any workaround, because in both cases the system certificate store was used but curl with OpenSSL was able to connect just fine. The same is the case if I use the CA cert bundle provided by curl themselves (which was extracted from Firefox's source code). I'm not sure if I'm misunderstanding something here, but it seems to me that needing to add another CA cert for this to work is unexpected behavior. |
Hello @ading2210 Sorry for the late answer.
From my understanding OpenSSL takes a relaxed approach when validating the peer certificates, using Another possibility is that openssl may be loading the default system CA certs, and to match that behaviour it would require Let me know if this fixes the issue without needing to add the missing intermediate certificate R1 to the store. Warm regards, |
Using both flags together has the same result. |
Hi @ading2210, Based on the CURL documentation, using --ca-native should enable the operating system's native CA store for certificate verification (https://curl.se/docs/sslcerts.html), but the "unrecognized option" error I saw from my logs on Linux suggests it might not be supported in your build or version. If that’s the case, providing the --cacert option directly, as I suggested, seems like the most reliable workaround. The inconsistencies between OpenSSL and wolfSSL you mentioned are also discussed here: curl/curl#11883. These differences in how certificates are handled on Linux might explain the behavior you’re seeing. I’d recommend testing with the native CA store option if your environment supports it, but falling back to explicitly loading certificates if not. Let us know if this resolves the issue or if further clarification is needed. Thanks, |
Contact Details
allen@ading.dev
Version
Latest from git, commit 429e7c7
Description
Curl with WolfSSL is failing when trying to connect to open.spotify.com with the following error:
I'm not sure if there are other websites which cause the same error.
open.spotify.com
is the only one I can reproduce the issue with.Curl version info:
I am fairly sure the underlying issue is with WolfSSL since the request works fine in curl with OpenSSL.
When using OpenSSL:
My configure command:
Target environment:
Reproduction steps
Compile WolfSSL from the latest source:
Compile Curl from the latest source using WolfSSL:
Try to download
https://open.spotify.com
and observe the error:Relevant log output
Build log: https://pastebin.com/b0SYabhd I couldn't include it in the body of this report since it was too long for Github.
The text was updated successfully, but these errors were encountered: