Skip to content

Comments

Add additional stub functions for newer curl builds#118

Draft
brian-pane wants to merge 1 commit intorustls:mainfrom
brian-pane:ubuntu25-curl
Draft

Add additional stub functions for newer curl builds#118
brian-pane wants to merge 1 commit intorustls:mainfrom
brian-pane:ubuntu25-curl

Conversation

@brian-pane
Copy link

No description provided.

@brian-pane
Copy link
Author

This is a work in progress; I'm posting it now to get some feedback on whether my approach makes sense.

While testing on Ubuntu-25.10 for aarch64, I found that the included curl build (8.14.1) depended on some symbols not yet implemented in rustls-openssl-compat. This PR tries to add stubs for them.

With this patch, curl is able to load the libssl.so, but SSL_connect fails when trying to verify the server's cert because "X509_STORE has no cached certificates." I need to debug that part further.

@djc djc requested a review from ctz February 12, 2026 12:08
@djc
Copy link
Member

djc commented Feb 12, 2026

Thanks for working on this!

With this patch, curl is able to load the libssl.so, but SSL_connect fails when trying to verify the server's cert because "X509_STORE has no cached certificates." I need to debug that part further.

Going to keep this PR as draft while this is in progress.

@djc djc marked this pull request as draft February 12, 2026 12:09
@brian-pane
Copy link
Author

Here's what I've found by tracing through the curl and OpenSSL code:

  1. Curl calls SSL_CTX_get_cert_store (provided by rustls-openssl-compat) to get the initialized X509_STORE.

  2. Depending on compilation options, curl then calls X509_STORE_load_file(store, ssl_cafile) or X509_STORE_load_locations(store, ssl_cafile, ssl_capath). Either way, we end up in the libcrypto functionX509_STORE_add_lookup, which registers a callback in the X509_STORE.

  3. Later, after rustls begins the handshake and receives the ServerHello, we reach the rustls-openssl-compat function ServerVerifier::verify_server_cert_inner, which calls OwnedX509Store::to_root_store. This calls the libcrypto function X509_STORE_get1_all_certs to retrieve the certs from the X509_STORE, which returns an empty list.

@djc any recommendations? Should I try to extend OwnedX509Store::to_root_store to invoke the callbacks registered by X509_STORE_add_lookup?

@ctz
Copy link
Member

ctz commented Feb 13, 2026

Unfortunately I think this is another instance of #17

@brian-pane
Copy link
Author

#17 notes a range of options, from using libcrypto's verifier to sticking with the rustls verifier and fetching updates from the X509_STORE struct on each use (which in this case would mean either calling the registered callbacks from rustls-openssl-compat directly or calling libcrypto's one API function that invokes the callbacks internally, ossl_x509_store_ctx_get_by_subject).

Have you decided on which option to pursue; and if so, would it make sense for me to try to start implementing that approach in this PR? If not, is it better for me to shelve this for now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants