Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CurlTransportOptions CAInfo does not appear to work #4645

Closed
3 tasks
nrgiii opened this issue May 21, 2023 · 5 comments
Closed
3 tasks

CurlTransportOptions CAInfo does not appear to work #4645

nrgiii opened this issue May 21, 2023 · 5 comments
Assignees
@antkmsft
Labels
Azure.Core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@nrgiii
Copy link

nrgiii commented May 21, 2023

Describe the bug
Setting the CAInfo in TransportOptions does not appear to work. The CA file name is not passed to libcurl and the connection to microsoft fails raising this error:

Fail to get a new connection for: https://login.microsoftonline.com. SSL peer certificate or SSH remote key was not OK. Underlying error: unable to get local issuer certificate

To Reproduce
-build libcurl with no default CA path. Use options --without-ca-path and --without-ca-bundle
-Set the CAInfo in the option like this. The connection will fail. (Is this the correct way to set the client options? If not please advise! I am not an expert C++ programmer.)

    KeyClientOptions clientOptions;
    Azure::Core::Http::CurlTransportOptions curlOptions;
    // set correct CA path for this machine here
    curlOptions.CAInfo = "/etc/pki/tls/certs/ca-bundle.crt";
    clientOptions.Transport.Transport
        = std::make_shared<Azure::Core::Http::CurlTransport>(curlOptions);
    KeyClient keyClient(keyVaultUrl, credential, clientOptions);
    auto keyWithType = keyClient.GetKey(keyName).Value; <== exception raised here

Code Snippet
See above

Expected behavior
CA info should be passed to libcurl but it is not .

With a debugger (gdb), I can see that in this code the option has not been set:

./sdk/core/azure-core/src/http/curl/curl.cpp

  if (!options.CAInfo.empty())
  {
    if (!SetLibcurlOption(m_handle, CURLOPT_CAINFO, options.CAInfo.c_str(), &result))
    {
      throw Azure::Core::Http::TransportException(
          _detail::DefaultFailedToGetNewConnectionTemplate + hostDisplayName
          + ". Failed to set CA cert file to:" + options.CAInfo + ". "
          + std::string(curl_easy_strerror(result)));
    }
  }

gdb>p options.CAInfo.empty()
true
gdb>

Setup (please complete the following information):

  • OS: Linux (Centos)
  • IDE :
  • Version of the Library used: 1.4.0 (Core)

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added Azure.Core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-triage Workflow: This issue needs the team to triage. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 21, 2023
@nrgiii
Copy link
Author

nrgiii commented May 23, 2023
edited
Loading

Bump.
I would really appreciate it if someone can help me or comment on this problem. I'm really stuck here.
I need a way to set CAInfo in CurlOptions so that it gets used by curl.
Anyone? Bueller? Bueller? 8=)

@phoebusm phoebusm mentioned this issue Jun 26, 2023
Closed
@antkmsft
Copy link
Member

Hi @nrgiii, I am sorry for the delay.

I think I have found what needs to be done.
When you set a breakpoint and get CAInfo being an empty string, it is not of the callstack you think it is.
See, KeyClient is a client with its own HTTP pipeline, but a credential is also technically a client with its separate HTTP pipeline, even though we don't normally think of credentials as clients.

So, you'd need to write

    KeyClientOptions clientOptions;

    Azure::Core::Http::CurlTransportOptions curlOptions;
    curlOptions.CAInfo = "/etc/pki/tls/certs/ca-bundle.crt";
    clientOptions.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>(curlOptions);

    // Also set the same options for the credential's pipeline
    Azure::Core::Credentials::TokenCredentialOptions credentialOptions;
    credentialOptions.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>(curlOptions);
    auto credential = std::make_shared<...>(credentialOptions);

    KeyClient keyClient(keyVaultUrl, credential, clientOptions);
    auto keyWithType = keyClient.GetKey(keyName).Value;

You can share the same transport implementation instance between two pipelines

    ...
    auto curlTransport = std::make_shared<Azure::Core::Http::CurlTransport>(curlOptions);
    clientOptions.Transport.Transport = curlTransport;
    ...
    credentialOptions.Transport.Transport = curlTransport;
    ...

Please let me know if it helped.

BTW, based on this doc, you may need to convert .crt certificate into a .pem.

@RickWinter RickWinter added issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. and removed needs-team-triage Workflow: This issue needs the team to triage. labels Jul 14, 2023
@github-actions
Copy link

Hi @nrgiii. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

@github-actions
Copy link

Hi @nrgiii, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

@nrgiii
Copy link
Author

nrgiii commented Jul 25, 2023

Hi @antkmsft , thanks for the code.
Once I also set the options in CryptographyClientOptions it worked as expected.
This issue can remain closed.

@github-actions github-actions bot locked and limited conversation to collaborators Oct 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@antkmsft antkmsft

Labels
Azure.Core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RickWinter @nrgiii @antkmsft