[Webkit-unassigned] [Bug 259767] New: [cURL] Unable to access https:// websites on fresh Windows installations

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 3 01:20:56 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=259767

            Bug ID: 259767
           Summary: [cURL] Unable to access https:// websites on fresh
                    Windows installations
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: max at schmitt.mx

We have identified an issue with our WebKit that prevents it from accessing websites on a fresh Windows installation. This issue can be reproduced as follows:

1. Create a new Windows Server 2022 VM or Windows 11
2. Run MiniBrowser.exe
3. Navigate to https://playwright.dev

Expected Result: It works

Actual Result: Server Trust Evaluation Request: Unable to get local issuer certificate

Interestingly, if you run `curl https://playwright.dev` between steps 2 and 3, it works. This indicates that running cURL modifies the system in a way that allows our libcurl-based WebKit to function correctly.

Investigation revealed that our WebKit is using the Windows certificate manager for SSL (schannel). However, normal cURL on Windows (non-windows-shipped build) uses OpenSSL. If you use this build, with CURL_SSL_BACKEND=schannel env var, it behaves the same as windows-shipped cURL build. -> Based on that we know that this is something in cURL (and not special Microsoft build magic) or how they talk to the schannel api.

The root certificates are not installed when the machine is fresh. However, when curl is invoked, it seems to add the certificate lazily, thus making it available for subsequent connections (like MiniBrowser.exe).

To see the Root certificates on Windows, open 'certlm.exe' -> 'Trusted Root Certification Authorities' -> 'Certificates' and find 'ISRG Root X1' there, delete it to reproduce the issue over and over again. Run MiniBrowser.exe to see the error, and curl so that the certificate gets added.

Questions for further investigation:
- What specific steps does cURL take that enable it to function properly on a fresh Windows installation?
- Why does curl.exe behave differently to our libcurl instruction?

I found https://github.com/curl/curl/blob/d135d040df5b276df5736688eba88d150b0d8a57/lib/vtls/schannel_verify.c#L182C15-L182C47 which looks related.

Downstream issue: https://github.com/microsoft/playwright/issues/24512

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230803/8d6f22a4/attachment.htm>

More information about the webkit-unassigned mailing list