`CURLSSLOPT_NATIVE_CA` not resolving certificates correctly in all cases.
Opened this issue · 2 comments
When the windows installation is fresh (Can be simulated using Windows Sandbox), curl has issue with validating certificate for repos-cdn.beyondallreason.dev domain. Workaround is to load once https://repos-cdn.beyondallreason.dev/ in Edge or Internet Explorer and then certificate validation works just fine.
I believe this is upstream bug in curl: Next steps are to build minimal reproducible example, gather more data, and report upstream.
I believe this is now mentioned on curl issue tracker in curl/curl#12303
I thought that maybe updating curl will resolve it, but no. Yes, we are using OpenSSL.
I have also some minimal example:
- Start Windows Sandbox
- Run pr-downloader and it will resolve with
SSL peer certificate or SSH remote key was not OK 0 (https://repos.springrts.com/repos.gz), aborting - Run regular official curl build that uses libressl: it succeeds
- Run pr-downloader: still fails
- Run the windows build-in curl that uses a different tls backend: succeeds
- Run pr-downloader: it magically start to work correctly.
Next step: try switching our curl build to LibreSSL and see if it resolves this issue, need to also confirm that switching to LibreSSL is not a problem for anything.
Correction: official curl build also fails. It succeeded because it failed back to the certificate bundle. Without certificate bundle, behavior is the same as pr-downloader.
So, switching to LibreSSL won't help. Switching to native schannel build might resolve this, so that's a valid option to consider.