Re: Issue with HTTPS client requests on 0.7.26

punkUser

Posted Tue, 10 Nov 2015 22:30:47 GMT in reply to punkUser

Had a bit more time to debug further into this... seems some code in the "verify" function is the culprit...

        int verify_callback(int valid, X509_STORE_CTX* ctx)
	{
		X509* err_cert = X509_STORE_CTX_get_current_cert(ctx);
		int err = X509_STORE_CTX_get_error(ctx); // <-- this returns err 20, i.e. X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
                
                ...
			if (err != X509_V_OK) // <-- this triggers
				logDebug("SSL cert initial error: %s", X509_verify_cert_error_string(err).to!string);

			if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { // <-- this triggers as well
				logDebug("SSL certificate not accepted by remote.");
				return false;
			}

                        ...
					case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
                                                ...
                                                // Never gets to here, which would clear there error...
						if (!(vdata.validationMode & TLSPeerValidationMode.checkTrust)) {
							valid = true;
							err = X509_V_OK;
						}

So it seems like despite it being set to not check the certificate (due to it being a "client" request, and there doesn't seem to be an opportunity to provide a certificate store to requestHTTP), it errors out of that function due to OpenSSL complaining about it being an untrusted certificate.

Forgive my ignorance if I'm off track here as I'm not super-familiar with OpenSSL, but as I mentioned this started in the change from 0.7.25->0.7.26 for me. I tried using the Botan implementation instead but that just crashes outright for me even on simple requests...

Not sure what's up.