Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS is broken on fresh installed Windows - failed to trigger lazy loads of the root CA certs from Microsoft #1146

Open
alexei-g-aloteq opened this issue Mar 1, 2024 · 1 comment
Open

TLS is broken on fresh installed Windows - failed to trigger lazy loads of the root CA certs from Microsoft #1146

alexei-g-aloteq opened this issue Mar 1, 2024 · 1 comment
Labels
package:http type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@alexei-g-aloteq
Copy link

It seems to be a huge issue on Windows.
I've spend many hours and can reproduce it 100% times.

How to reproduce:

  1. Create an empty app with HTTPs call using this package and address https://anything.cloudfunctions.net (or virtually any other property configured endpoint).
  2. Install a fresh Windows 10 or 11 (VM is fine, I've used a Qemu Proxmox hypervisor). I've used an official image from Microsoft for Windows 10 and 11 Home Edition. All updates are installed. Totally clean installation - no apps installed, no sites were opened.
  3. Build the test app for Windows.
  4. Run it on the test Windows machine.

Expected results:

  1. The call is successful.
  2. Inspect the User Certificates on Windows and see that appropriate root CA certificate is appeared in the Trusted Root Certificate Authorities section. Which means that the Windows root CA certificate lazy load works.

Real results:

  1. The call fails with error "Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(../../third_party/boringssl/src/ssl/handshake.cc:393))"
  2. Inspect the User Certificates on Windows and see that appropriate root CA certificate is NOT appeared in the Trusted Root Certificate Authorities. It means that calls from this package does not trigger the Windows root CA certificate lazy load.

How to prove that this the package issue:

  1. Run "curl https://anything.cloudfunctions.net" in cmd.exe.
  2. Restart the test app because BoringSSL does not load root CA certificates until recreated.
  3. Check the Expected Results (above) and see that call through Windows native SDK works as expected even for the same endpoint.

Please pay attention that this is not about:

  1. Not about self-signed or non-valid certificate.
  2. Not about expired X1 root certificate (aka Letsencrypt).
  3. Not about intermediate connection issues.

I know about a hack with a certificate pinning, but this is not an option since solves issues only with endpoints known at the moment of the building. This is obviously not an ultimate workaround.

There is an issue opened for almost a year: dart-lang/sdk#52266

Appreciate your attention on this critical issue since we can clearly reproduce it on our projects.
@alexei-g-aloteq alexei-g-aloteq added package:http type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) labels Mar 1, 2024
@alexei-g-aloteq
Copy link
Author

alexei-g-aloteq commented Mar 8, 2024
edited

Anyone uses the http package on Windows at all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
package:http type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexei-g-aloteq