Project

General

Profile

Bug #692

Curl fails to fetch HTTPS CRL URL

Added by John Doe over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libstrongswan
Target version:
Start date:
28.08.2014
Due date:
Estimated time:
Affected version:
5.2.0
Resolution:
Fixed

Description

If the certificate contains a HTTPS url to connect to the CRL curl fails to connect.

Here is a patch to make it work:

--- src/libstrongswan/plugins/curl/curl_plugin.c 2013-10-18 12:38:17.000000000 1100
+
+ src/libstrongswan/plugins/curl/curl_plugin.c 2014-08-27 15:15:19.277802550 +1000
@ -79,7 +79,7 @
},
);

- res = curl_global_init(CURL_GLOBAL_NOTHING);
+ res = curl_global_init(CURL_GLOBAL_DEFAULT);
if (res != CURLE_OK) {
DBG1(DBG_LIB, "global libcurl initializing failed: %s",


Related issues

Related to Issue #2570: libcurl http request failed: SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161)Closed

Associated revisions

Revision 0c8c965c
Added by Martin Willi about 6 years ago

Merge branch 'curl-features'

Enable missing https:// support in the curl plugin by initializing libcurl
appropriately.

To initialize the SSL backend properly as required, we rely on our specific
crypto backends (openssl, gcrypt) that already provide this functionality.

Fixes #692.

History

#1 Updated by John Doe over 6 years ago

Here is the patch again because the formatting was screwed up in the original:

--- src/libstrongswan/plugins/curl/curl_plugin.c    2013-10-18 12:38:17.000000000 +1100
+++ src/libstrongswan/plugins/curl/curl_plugin.c    2014-08-27 15:15:19.277802550 +1000
@@ -79,7 +79,7 @@
         },
     );

-    res = curl_global_init(CURL_GLOBAL_NOTHING);
+    res = curl_global_init(CURL_GLOBAL_DEFAULT);
     if (res != CURLE_OK)
     {
         DBG1(DBG_LIB, "global libcurl initializing failed: %s",

#2 Updated by Martin Willi over 6 years ago

  • Assignee set to Martin Willi

#3 Updated by Martin Willi over 6 years ago

  • Tracker changed from Issue to Bug
  • Status changed from New to Assigned
  • Target version set to 5.2.1

Hi,

If the certificate contains a HTTPS url to connect to the CRL curl fails to connect.

I agree, seems that HTTPS support was missing in the curl fetcher backend.

Here is a patch to make it work:

Thanks for the patch. I'd prefer to use CURL_GLOBAL_SSL only, as we initialize Winsock2 anyway by ourselves. Also, we should probably have a fallback in case SSL initialization fails.

It's probably a good idea to dynamically query the protocols supported by the libcurl build, and announce supported plugin features only. I've pushed three patches to the curl-features branch, queued for master.

Regards
Martin

#4 Updated by Martin Willi over 6 years ago

Seems that there is a bad interaction issue between our openssl plugin and libcurl if it uses the OpenSSL based SSL backend.

The problem is that the threading callbacks get registered, but can't be unregistered in our plugin. libcurl makes use of them during cleanup, but the openssl plugin is already gone. Not sure yet how to fix this.

#5 Updated by Martin Willi about 6 years ago

  • Category set to libstrongswan
  • Status changed from Assigned to Closed
  • Resolution set to Fixed

The associated merge commit fixes the issue.

When using OpenSSL with curl, we have to register appropriate threading callbacks for the SSL backend used by libcurl. To avoid any conflicts with our openssl and gcrypt plugins already doing that, we rely on these plugins to provide the appropriate functionality.

To fetch over HTTPS, this implies that you'll need the appropriate strongSwan plugin enabled for the libcurl SSL backend you are using. Refer to the curl Wiki page for details.

Regards
Marting

#6 Updated by Tobias Brunner almost 3 years ago

  • Related to Issue #2570: libcurl http request failed: SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161) added

Also available in: Atom PDF