Curl ignores CA cert bundle for HTTPS proxy on Windows unless explicitly given

[AlyoshaVasilieva]

trafficstars

I did this

curl -x https://aghostwithclaws.run https://api.myip.com -v

I expected the following

Curl to use the given HTTPS proxy to connect to the myip.com API.

Actual results

Curl fails with curl: (60) SSL certificate problem: unable to get local issuer certificate

However, if I specify --proxy-cacert C:\path\to\curl-ca-bundle.crt it works fine.

When watching in ProcMon, without --proxy-cacert it seems to find the bundle but doesn't read it. It just does CreateFile/QueryBasicInformationFile/CloseFile. When --proxy-cacert is given it reads the bundle.

It works on Ubuntu and Debian, so I'm assuming this is a Windows problem of some kind.

curl/libcurl version

Official 7.81 from the site:

curl 7.81.0 (x86_64-pc-win32) libcurl/7.81.0 OpenSSL/3.0.1 (Schannel) zlib/1.2.11 brotli/1.0.9 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.46.0 libgsasl/1.10.0
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSockets

Also broken with 7.82.0 and 7.78.0.

Working on Ubuntu 20.04 with:

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Working on Debian 11 with:

curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

operating system

Windows 10 Pro 21H2 19044.1645

[jay]

libcurl is typically built for Linux with a default CA file or location for both the server and proxy, so that is probably why it works on Linux even when you don't set the command line options.

On all platforms if the user does not set a CA bundle file (--cacert) and does not set a CA directory (--capath) then the curl tool searches environment variables. Additionally on Windows if none of the environment variables exist then curl searches some paths as well.

There is no same environment/path search behavior for --proxy-cacert or --proxy-capath, however if --proxy-capath was not set then curl will tell libcurl to use whatever was set (or found during search) for --capath. There is some discussion about this in #1257 where I attempted to do the same for --proxy-cacert but abandoned the effort. Basically, if the user does --cacert server.pem it's unlikely they also want --proxy-cacert server.pem, instead they would expect the default location to be used for proxy cacert.

On Windows I think it may work to set proxy-cacert only if both it and cacert were initially unset and then a curl-ca-certificate.crt was found during search. There may be some downside that I'm forgetting now that it's 5 years later...

edit: the downside is the user may be using curl-ca-bundle.crt just to hold their server's CA certificate, so essentially that solution has the same problem.

[jay]

Unless someone comes up with an idea we all like I'm going to close this as won't fix. The best thing I can think of is add a special value to the option allowing the inherit but I'm not that enthusiastic about it.