cpr icon indicating copy to clipboard operation
cpr copied to clipboard
verified publisher icon libcpr

cpr::ssl::CaBuffer not working

Open erkska opened this issue 3 years ago • 4 comments

Description

When trying to make a HTTPS request using the CaBuffer object the request fails. I have a file with cert that I provided to CaInfo and that way everything worked but as soon as I try providing the cert in string format to CaBuffer it doesn't work.

Expected Behavior

cpr::SslOptions ssl_opts = cpr::Ssl(cpr::ssl::CaBuffer {"<CERT>"});
const cpr::Response r = cpr::Get(cpr::Url {url}, ssl_opts);

The request should be successful.

Actual Behavior

The request fails. I've tried multiple ways to format the cert, with/without newlines, newline at the end of the cert etc. Even if I read the same file that I provided to CaInfo into string and then pass to CaBuffer it fails.

Possible Fix

I analysed the code and stepped through with a debugger. The code succeeds to write the callback function to curl's fsslctx and the cert to fsslctxp. But the callback function seems to never be called. I modified the sslctx_function_load_ca_cert_from_buffer to write a file into my filesystem and that never happened.

Steps to Reproduce

Simply use the CaBuffer function. Also the tests that are in this repo with this function seem to be quite pointless because they don't show if the function succeeds or not.

Context

I attempted to fetch a file over HTTPS now I'm writing a cert to filesystem and reading it with CaInfo.

Your Environment

libcurl version 7.80 Linux aarch64 OpenSSL cpr 1.9.1

erkska avatar Sep 07 '22 14:09 erkska

Hi @erkska thanks for reporting this! We actually have a test case for this here: https://github.com/libcpr/cpr/blob/7938bc7702130f989b76822909b57b829dcd806a/test/ssl_tests.cpp#L132-L151

There we use the following example certificate for testing: https://github.com/libcpr/cpr/blob/master/test/data/certificates/root-ca.crt

Is there any chance you can try running this unit test on your system, to validate your results?

COM8 avatar Sep 08 '22 07:09 COM8

I don't understand the point of this test. As I get it, if you set ssl::VerifyPeer{false} (also the Host and Status) then the cert verification doesn't even happen and it lets you fetch the content anyway. If I set VerifyPeer to false in my code then it works with CaBuffer.

erkska avatar Sep 08 '22 11:09 erkska

In fact, you are right with that! Probably over the weekend I have more time to look deeper into this.

COM8 avatar Sep 09 '22 06:09 COM8

I'm currently working in a separate branch on this: https://github.com/libcpr/cpr/tree/CaBufferFix

I was able to reproduce this bug and I already fixed one related bug. But the main issue is still there and I don't know why right now.

When using mypem from here: https://curl.se/libcurl/c/cacertinmem.html

Now at least it does not segfault any more ;D

COM8 avatar Sep 11 '22 12:09 COM8