View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003806 | GNUnet | hostlist daemon | public | 2015-05-31 08:24 | 2018-06-07 00:24 |
Reporter | dan | Assigned To | Jeff Burdges | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | Git master | ||||
Summary | 0003806: gnurl/curl can't handle ca-path or ca-bundles properly when using GNUTLS | ||||
Description | WARNING Download of hostlist from `https://gnunet.io/hostlist' failed: `Peer certificate cannot be authenticated with given CA certificates' This is happening eventhough the certificate is in place and gnurl --cacert /etc/ssl/certs/COMODO_ECC_Certification_Authority.crt \ https://gnunet.io/ works just fine. However, somehow --capath and --cabundle work only for OpenSSL and PolarSSL, according to curl/gnurl sources. How is this intended to work? | ||||
Tags | No tags attached. | ||||
|
Looks like a duplicate of 0003564, except maybe with a hint as to why it doesn't work. (Note that I can't reproduce 0003564, but this seems to be the same issue.) |
|
Some links that might shed some light on this: https://github.com/Yubico/yubico-c-client/issues/24 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482814 http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTCAPATH http://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html http://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html http://curl.haxx.se/docs/ssl-compared.html |
|
Based on all the docs I can find, we shouldn't need to explicitly specify "/etc/ssl/certs" anyway, as GnuTLS will use that path by default. So either you didn't compile gnurl against libgnutls or somehow a different path was hardcoded in your GnuTLS binary. Does the download work if you just run $ gnurl https://gnunet.io/hostlist (it does for me). Also, if not, what do you get for $ ldd `which gnurl` |
|
root@OpenWrt:/# ldd `which gnurl` /lib/ld-musl-mips-sf.so.1 (0x7788f000) libgnurl.so.0 => /usr/lib/libgnurl.so.0 (0x77853000) libidn.so.11 => /usr/lib/libidn.so.11 (0x77814000) libnettle.so.6 => /usr/lib/libnettle.so.6 (0x777c9000) libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x776de000) libz.so.1 => /usr/lib/libz.so.1 (0x776bf000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7769b000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x7788f000) libhogweed.so.4 => /usr/lib/libhogweed.so.4 (0x7765b000) libgmp.so.10 => /usr/lib/libgmp.so.10 (0x775e0000) root@OpenWrt:/# gnurl -v -o /dev/null https://www.gnunet.org/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* server certificate verification failed. CAfile: none CRLfile: none curl: (60) server certificate verification failed. CAfile: none CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Trying to build gnurl --with-ca-path isn't possible, see $ ./configure --enable-ipv6 --with-gnutls --without-libssh2 --without-libmetalink --without-winidn --without-librtmp --without-nghttp2 --without-nss --without-cyassl --without-polarssl --without-ssl --without-winssl --without-darwinssl --disable-sspi --disable-ntlm-wb --disable-ldap --disable-rtsp --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-file --disable-ftp --disable-smb --with-ca-path=/etc/ssl/certs/ checking whether to enable maintainer-specific portions of Makefiles... no checking whether to enable debug build options... no checking whether to enable compiler optimizer... (assumed) yes checking whether to enable strict compiler warnings... no checking whether to enable compiler warnings as errors... no checking whether to enable curl debug memory tracking... no checking whether to enable hiding of library internal symbols... yes checking whether to enable c-ares for DNS lookups... no checking for path separator... : checking for sed... /usr/bin/sed checking for grep... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ar... /usr/bin/ar checking for a BSD-compatible install... /usr/bin/install -c checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking how to run the C preprocessor... gcc -E checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for style of include used by make... GNU checking whether make supports nested variables... yes checking dependency style of gcc... gcc3 checking curl version... 7.40.1-DEV checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking for sys/types.h... yes checking for stdint.h... yes checking for inttypes.h... yes checking for grep that handles long lines and -e... (cached) /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... (cached) yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... yes checking size of long... 8 checking size of void*... 8 checking for 64-bit curl_off_t data type... long checking size of curl_off_t... 8 checking formatting string directive for curl_off_t... "ld" checking formatting string directive for unsigned curl_off_t... "lu" checking constant suffix string for curl_off_t... L checking constant suffix string for unsigned curl_off_t... UL checking if OS is AIX (to define _ALL_SOURCE)... no checking if _THREAD_SAFE is already defined... no checking if _THREAD_SAFE is actually needed... no checking if _THREAD_SAFE is onwards defined... no checking if _REENTRANT is already defined... no checking if _REENTRANT is actually needed... no checking if _REENTRANT is onwards defined... no checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking how to print strings... printf checking for a sed that does not truncate output... (cached) /usr/bin/sed checking for fgrep... /usr/bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 1572864 checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... no checking how to associate runtime and link libraries... printf %s\n checking for archiver @FILE support... @ checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sysroot... no checking for a working dd... /usr/bin/dd checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1 checking for mt... no checking if : is a manifest tool... no checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking whether to build shared libraries with -version-info... yes checking whether to build shared libraries with -no-undefined... no checking whether to build shared libraries with -mimpure-text... no checking whether to build shared libraries with PIC... yes checking whether to build static libraries with PIC... yes checking whether to build shared libraries only... no checking whether to build static libraries only... no checking for inline... inline checking if compiler is DEC/Compaq/HP C... no checking if compiler is HP-UX C... no checking if compiler is IBM C... no checking if compiler is Intel C... no checking if compiler is clang... no checking if compiler is GNU C... yes checking if compiler is LCC... no checking if compiler is SGI MIPSpro C... no checking if compiler is SGI MIPS C... no checking if compiler is SunPro C... no checking if compiler is Tiny C... no checking if compiler is Watcom C... no checking if compiler accepts debug disabling options... yes configure: compiler options added: checking if compiler optimizer assumed setting might be used... yes checking if compiler accepts optimizer enabling options... yes configure: compiler options added: -O2 checking if compiler accepts strict warning options... yes configure: compiler options added: -Wno-system-headers checking if compiler halts on compilation errors... yes checking if compiler halts on negative sized arrays... yes checking if compiler halts on function prototype mismatch... yes checking if compiler supports hiding library internal symbols... yes checking for windows.h... no checking whether build target is a native Windows one... no checking whether build target supports WIN32 file API... no checking whether to support http... yes checking whether to support ftp... no checking whether to support file... no checking whether to support ldap... no checking whether to support ldaps... no checking whether to support rtsp... no checking whether to support proxies... yes checking whether to support dict... no checking whether to support telnet... no checking whether to support tftp... no checking whether to support pop3... no checking whether to support imap... no checking whether to support smb... no checking whether to support smtp... no checking whether to support gopher... no checking whether to provide built-in manual... yes checking whether to enable generation of C code... yes checking whether to use libgcc... no checking if X/Open network library is required... no checking for gethostbyname... yes checking for strcasecmp... yes checking for windows.h... (cached) no checking for winsock.h... (cached) no checking for winsock2.h... (cached) no checking for connect in libraries... yes checking whether time.h and sys/time.h may both be included... yes checking for sys/types.h... (cached) yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking for monotonic clock_gettime... yes checking for clock_gettime in libraries... no additional lib required checking if monotonic clock_gettime works... yes checking for inflateEnd in -lz... yes checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes configure: found both libz and libz.h header checking whether to enable IPv6... yes checking if struct sockaddr_in6 has sin6_scope_id member... yes checking if argv can be written to... yes checking if GSS-API support is requested... no checking whether to enable Windows native SSL/TLS (Windows native builds only)... no checking whether to enable iOS/Mac OS X native SSL/TLS... no checking for pkg-config... /usr/bin/pkg-config checking for gnutls options with pkg-config... found checking for gnutls_check_version in -lgnutls... yes configure: detected GnuTLS version 3.4.2 checking for nettle_MD5Init in -lgnutls... no checking for gcry_control in -lgnutls... no checking for nettle_MD5Init in -lnettle... yes checking for gnutls_srp_verifier in -lgnutls... yes checking default CA cert bundle/path... configure: error: --with-ca-path only works with openSSL or PolarSSL |
|
I have not yet managed to replicate exactly this error. There are two locations listed in svn/gnunet/src/hostlist/hostlist.conf : SERVERS = http://v10.gnunet.org/hostlist https://gnunet.io/hostlist Appears gnunet-daemon-hostlist selects randomly between them, which seems odd given that one is http and one is https. We can try to access either URL using curl/gnurl, iceweasel, or gnunet-daemon-hostlist via gnunet-arm -s and either using system SOCKS proxying over Tor or not. I found that https://gnunet.io/hostlist always works under gnurl, curl, and iceweasel, irrespective of system or browser proxy settings, meaning Tor or no Tor. I noticed http://v10.gnunet.org/hostlist has certificate issues when proxied over Tor, or say promoted to https, like say by HTTPS Everywhere on a non-torified browser. $ gnurl https://v10.gnunet.org/hostlist curl: (51) SSL: certificate subject name (gnunet.org) does not match target host name 'v10.gnunet.org' $ curl https://v10.gnunet.org/hostlist curl: (51) SSL: no alternative certificate subject name matches target host name 'v10.gnunet.org' Both gnurl and curl report a 502 Proxy Error on http://v10.gnunet.org/hostlist when the system is proxied over Tor. I presume you do not have any proxies involved, do you? Anyways, if we use gnunet-daemon-hostlist via gnunet -s with the system SOCKS proxy set to Tor then we encounter : hostlist-27960 WARNING Download of hostlist from `https://gnunet.io/hostlist' failed: `Couldn't resolve host name' hostlist-27960 WARNING Download of hostlist from `http://v10.gnunet.org/hostlist' failed: `Couldn't resolve host name' I suppose that's an orthogonal issue. If however I disable the system proxy and run gnunet -s then I've no complaints about http://gnunet.io/hostlist but I still get : hostlist-28290 WARNING Download of hostlist from `http://v10.gnunet.org/hostlist' failed: `HTTP response code said error' I've no problem accessing http://v10.gnunet.org/hostlist with curl or gnurl directly here, when not using a SOCKS proxy. Also, one obligatory dumb question : You aren't behind some captive portal are you? |
|
I tried in various different setups. Finally I figured that gnurl/curl simply doesn't tell GnuTLS to include the system-provided trust storage. Given that the also the --with-ca-path configure flags of curl doesn't work with GnuTLS, the trust store ends up empty. Reported upstream: https://github.com/bagder/curl/issues/330 Fix suggested: https://github.com/bagder/curl/pull/331 |
|
Now backported the upstream fix https://github.com/bagder/curl/commit/5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 to gnurl on OpenWrt, see https://github.com/openwrt/packages/commit/c31e6bb7c0ebbb20de636f2756aed221aefc2404 This does the trick until gnurl is rebased onto a more recent curl. Now GNUnet works on OpenWrt even with only the https_client transport plugin enabled, see root@OpenWrt:/tmp/run/gnunet# gnunet-ats Peer `60JY' plugin `https_client', address `https_client.0.https://gnio.amatus.name:4433', `WAN' bw out: 38058 Bytes/s, bw in 38058 Bytes/s, active Peer `DSTJ' plugin `https_client', address `https_client.0.https://gnunet.informatik.tu-muenchen.de:4433', `UNSPECIFIED' bw out: 65536 Bytes/s, bw in 65536 Bytes/s, active Peer `GN10' plugin `https_client', address `https_client.0.https://lost.amatus.name:4433', `WAN' bw out: 27477 Bytes/s, bw in 27477 Bytes/s, active Independently of the issue with curl/gnurl CApath, the gnunet.org domain certificate seems to be broken as it doesn't include SubjectAltName for all subdomains nor a wildcard. |
|
Jeff wrote: >>> Both gnurl and curl report a 502 Proxy Error on http://v10.gnunet.org/hostlist [^] when the system is proxied over Tor. I presume you do not have any proxies involved, do you? <<< Yes, the gnunet.org HTTP is a reverse proxy for the actual hostlist daemon. It had keepalive enabled, which caused the hostlist daemon to exceed its connection-per-IP limit. I've fixed it by (1) raising the limit and (2) disabling keepalive for the reverse proxy. |
|
Daniel: So I read that we should update libgnurl soon to get the fix and simplfy the packaging? Also, wrt to the gnunet.org domain certificate: I'm well aware. I asked for SubjectAltNames from our highly-qualified CA run by the german research network and the computer science department. They gave me a cert without the SubjectAltNames anyway. I complained, still they didn't re-issue it. Well, at least it's free... I hope that the EFF's CA will allow me to fix this... |
|
Last modified 2015-07-13 … has this been resolved since with all the gnURL releases since then? |
|
Testing with gnurl-7.55.1-4 this is resolved as fixed. I ran some of the commands in `guix environment --ad-hoc gnurl` and they all worked out. |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-05-31 08:24 | dan | New Issue | |
2015-05-31 12:59 | Christian Grothoff | Relationship added | duplicate of 0003564 |
2015-05-31 13:00 | Christian Grothoff | Note Added: 0009199 | |
2015-05-31 13:01 | Christian Grothoff | Priority | normal => urgent |
2015-05-31 13:01 | Christian Grothoff | Status | new => confirmed |
2015-05-31 13:51 | Christian Grothoff | Note Added: 0009202 | |
2015-05-31 21:33 | Christian Grothoff | Note Added: 0009212 | |
2015-05-31 21:33 | Christian Grothoff | Assigned To | => Christian Grothoff |
2015-05-31 21:33 | Christian Grothoff | Status | confirmed => feedback |
2015-06-29 10:16 | Christian Grothoff | Assigned To | Christian Grothoff => Jeff Burdges |
2015-06-29 10:16 | Christian Grothoff | Status | feedback => assigned |
2015-06-29 14:32 | dangole | Note Added: 0009366 | |
2015-06-29 18:14 | Jeff Burdges | Note Added: 0009371 | |
2015-06-29 18:17 | Jeff Burdges | Note Edited: 0009371 | |
2015-06-29 19:34 | dangole | Note Added: 0009372 | |
2015-06-29 21:19 | dangole | Note Added: 0009374 | |
2015-07-13 16:14 | Christian Grothoff | Note Added: 0009427 | |
2015-07-13 16:21 | Christian Grothoff | Note Added: 0009428 | |
2017-06-26 00:38 | nikita | Note Added: 0012271 | |
2017-09-27 19:53 | nikita | Status | assigned => resolved |
2017-09-27 19:53 | nikita | Resolution | open => fixed |
2017-09-27 19:53 | nikita | Note Added: 0012453 | |
2018-06-07 00:24 | Christian Grothoff | Status | resolved => closed |