[Windows] quickstart.exe fails with CURL error 60 even with GOOGLE_CLOUD_CPP_REST_DISABLE_SSL_VERIFICATION=true

[phenriqueol]

Descrição do Problema

Estou tentando executar o exemplo quickstart do Google Cloud Storage em um ambiente Windows, compilado com Bazel. A aplicação falha consistentemente com CURL error [60]=SSL peer certificate or SSH remote key was not OK, mesmo após diversas tentativas de depuração e desativação da verificação SSL.

Passos para Reproduzir

1. Ambiente:

   • Sistema Operacional: Windows 10 Pro (versão 10.0.26100.4061)
   • Compilador: Visual Studio 2022 (versão 17.14.2 do Developer Command Prompt)
   • Ferramenta de Build: Bazel (assumo que seja uma versão recente compatível com o google-cloud-cpp no Windows, mas não tenho a versão exata da instalação do Bazel).

2. Configuração de Variáveis de Ambiente (executadas no Visual Studio 2022 Developer Command Prompt):

   set GOOGLE_CLOUD_PROJECT=asr-vsecb
   set GOOGLE_APPLICATION_CREDENTIALS=D:\Projetos\Outros\Google\asr-vsecb-178e38df48f1.json
   set CURL_CA_BUNDLE=D:\Projetos\Outros\Google\cacert.pem
   set GOOGLE_CLOUD_CPP_REST_DISABLE_SSL_VERIFICATION=true
   set GOOGLE_CLOUD_CPP_ENABLE_CLOG=rpc;auth;http;network;curl;flow;tracing
   

3. Execução do Exemplo:

   C:/users/phenrique/_bazel_phenrique/5kg47tsu/execroot/_main/bazel-out/x64_windows-fastbuild/bin/google/cloud/storage/quickstart/quickstart.exe phenriquefly-asr-vs-cb-teste
   

4. Resultado Obtido:

   Error creating object: UNKNOWN: Permanent error, with a last message of PerformWork() - CURL error [60]=SSL peer certificate or SSH remote key was not OK error_info={reason=, domain=, metadata={gcloud-cpp.retry.original-message=PerformWork() - CURL error [60]=SSL peer certificate or SSH remote key was not OK, gcloud-cpp.retry.function=CreateResumableUpload, gcloud-cpp.retry.reason=permanent-error}}
   

   (Note: Não há logs adicionais do GOOGLE_CLOUD_CPP_ENABLE_CLOG antes do erro, o que sugere que a falha ocorre em um nível muito baixo.)

Depuração e Testes Adicionais Realizados

Foram realizados os seguintes testes para isolar o problema:

1. Data/Hora do Sistema: Confirmado que a data e hora do sistema estão corretas e sincronizadas automaticamente.

2. Antivírus/Firewall: Norton 360 foi desabilitado, mas o problema persistiu.

3. Teste de Conectividade HTTPS com curl.exe do Sistema (fora do Developer Command Prompt):

   • Teste 1: curl -v -k https://www.google.com

     * Host [www.google.com:443](https://www.google.com:443) was resolved.
     * IPv6: (none)
     * IPv4: 172.217.29.228
     * Trying 172.217.29.228:443...
     * schannel: disabled automatic use of client certificate
     * ALPN: curl offers http/1.1
     * ALPN: server accepted http/1.1
     * Connected to [www.google.com](https://www.google.com) (172.217.29.228) port 443
     * using HTTP/1.x
     > GET / HTTP/1.1
     > Host: [www.google.com](https://www.google.com)
     > User-Agent: curl/8.12.1
     > Accept: */*
     >
     * Request completely sent off
     * schannel: remote party requests renegotiation
     * schannel: renegotiating SSL/TLS connection
     * schannel: SSL/TLS connection renegotiated
     < HTTP/1.1 200 OK
     < Date: Mon, 26 May 2025 14:40:05 GMT
     ... (conteúdo HTML do Google) ...
     * Connection #0 to host [www.google.com](https://www.google.com) left intact
     

     Resultado: Conexão HTTPS e handshake SSL/TLS bem-sucedidos.

   • Teste 2: curl -v -k https://storage.googleapis.com

     * Host storage.googleapis.com:443 was resolved.
     * IPv6: (none)
     * IPv4: 172.217.172.59, ... (outros IPs) ...
     * Trying 172.217.172.59:443...
     * schannel: disabled automatic use of client certificate
     * ALPN: curl offers http/1.1
     * ALPN: server accepted http/1.1
     * Connected to storage.googleapis.com (172.217.172.59) port 443
     * using HTTP/1.x
     > GET / HTTP/1.1
     > Host: storage.googleapis.com
     > User-Agent: curl/8.12.1
     > Accept: */*
     >
     * Request completely sent off
     * schannel: remote party requests renegotiation
     * schannel: SSL/TLS connection renegotiated
     < HTTP/1.1 400 Bad Request
     < Content-Type: application/xml; charset=UTF-8
     < X-GUploader-UploadID: AAO2Vwq7OOAypffYH0lmAQIPisQPXBGFjsNIjUsT4V6VAn1twZ0WUXNknNS7-N0NZBYUwmZP
     < Content-Length: 181
     < Date: Mon, 26 May 2025 14:52:28 GMT
     ...
     <?xml version='1.0' encoding='UTF-8'?><Error><Code>MissingSecurityHeader</Code><Message>Your request was missing a required header.</Message><Details>Authorization</Details></Error>* Connection #0 to host storage.googleapis.com left intact
     

     Resultado: Conexão HTTPS e handshake SSL/TLS bem-sucedidos. O 400 Bad Request com MissingSecurityHeader é o comportamento esperado para uma requisição não autenticada à raiz da API.

Observação

Os testes com o curl.exe do sistema demonstram que a conectividade HTTPS básica com os domínios do Google funciona perfeitamente quando a verificação SSL é explicitamente ignorada. A falha persistente no quickstart.exe com CURL error [60] mesmo com GOOGLE_CLOUD_CPP_REST_DISABLE_SSL_VERIFICATION=true sugere que há um problema na forma como a biblioteca google-cloud-cpp ou sua versão interna do curl está lidando com as conexões SSL/TLS no meu ambiente Windows, ou que a flag de desativação SSL não está sendo aplicada conforme o esperado no código compilado.

Agradeço qualquer assistência na investigação deste problema.

[diegomarquezp]

A translation for convenience of other folks.

Problem Description

I am trying to run the quickstart example for Google Cloud Storage in a Windows environment, compiled with Bazel. The application consistently fails with CURL error [60]=SSL peer certificate or SSH remote key was not OK, even after several debugging attempts and disabling SSL verification.

Steps to Reproduce

1. Environment:

   • Operating System: Windows 10 Pro (version 10.0.26100.4061)
   • Compiler: Visual Studio 2022 (version 17.14.2 from the Developer Command Prompt)
   • Build Tool: Bazel (I assume it's a recent version compatible with google-cloud-cpp on Windows, but I don't have the exact version of the Bazel installation).

2. Environment Variable Configuration (executed in the Visual Studio 2022 Developer Command Prompt):

   set GOOGLE_CLOUD_PROJECT=asr-vsecb
   set GOOGLE_APPLICATION_CREDENTIALS=D:\Projetos\Outros\Google\asr-vsecb-178e38df48f1.json
   set CURL_CA_BUNDLE=D:\Projetos\Outros\Google\cacert.pem
   set GOOGLE_CLOUD_CPP_REST_DISABLE_SSL_VERIFICATION=true
   set GOOGLE_CLOUD_CPP_ENABLE_CLOG=rpc;auth;http;network;curl;flow;tracing
   

3. Running the Example:

   C:/users/phenrique/_bazel_phenrique/5kg47tsu/execroot/_main/bazel-out/x64_windows-fastbuild/bin/google/cloud/storage/quickstart/quickstart.exe phenriquefly-asr-vs-cb-teste
   

4. Actual Result:

   Error creating object: UNKNOWN: Permanent error, with a last message of PerformWork() - CURL error [60]=SSL peer certificate or SSH remote key was not OK error_info={reason=, domain=, metadata={gcloud-cpp.retry.original-message=PerformWork() - CURL error [60]=SSL peer certificate or SSH remote key was not OK, gcloud-cpp.retry.function=CreateResumableUpload, gcloud-cpp.retry.reason=permanent-error}}
   

   (Note: There are no additional logs from GOOGLE_CLOUD_CPP_ENABLE_CLOG before the error, which suggests the failure occurs at a very low level.)

Debugging and Additional Tests Performed

The following tests were performed to isolate the problem:

1. System Date/Time: Confirmed that the system date and time are correct and synchronized automatically.
2. Antivirus/Firewall: Norton 360 was disabled, but the problem persisted.
3. HTTPS Connectivity Test with System's curl.exe (outside the Developer Command Prompt):
   • Test 1: curl -v -k https://www.google.com
     • Result: Successful HTTPS connection and SSL/TLS handshake.
   • Test 2: curl -v -k https://storage.googleapis.com
     • Result: Successful HTTPS connection and SSL/TLS handshake. The 400 Bad Request with MissingSecurityHeader is the expected behavior for an unauthenticated request to the API root.

Observation

The tests with the system's curl.exe demonstrate that basic HTTPS connectivity with Google's domains works perfectly when SSL verification is explicitly ignored. The persistent failure in quickstart.exe with CURL error [60] even with GOOGLE_CLOUD_CPP_REST_DISABLE_SSL_VERIFICATION=true set suggests that there is a problem with how the google-cloud-cpp library or its internal version of curl is handling SSL/TLS connections in my Windows environment, or that the SSL disable flag is not being applied as expected in the compiled code.

I would appreciate any assistance in investigating this issue.

[diegomarquezp]

Hi @phenriqueol thank you for reporting this. Could you please confirm whether the error still persists as of today (i.e. update parameters, versions and try again)? Also, would you share which bazel command are you using to build the library? Are there any additional env vars you used for this?

Also, for faster response times, consider using our Support Hub if you have a support plan with Google Cloud.

[diegomarquezp]

Hello @phenriqueol, are you still experiencing this problem?