Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swift static sdk: SSL certificate problem: unable to get local issuer certificate #5157

Open
toffaletti opened this issue Jan 19, 2025 · 3 comments · May be fixed by #5159
Open

swift static sdk: SSL certificate problem: unable to get local issuer certificate #5157

toffaletti opened this issue Jan 19, 2025 · 3 comments · May be fixed by #5159

Comments

@toffaletti
Copy link
Contributor

toffaletti commented Jan 19, 2025
edited
Loading

swift static sdk is unable to use SSL.

root@56a5c7b80758:/code# swift sdk list
swswift-6.0.3-RELEASE_static-linux-0.0.1
root@56a5c7b80758:/code# swift --version
Swift version 6.0.3 (swift-6.0.3-RELEASE)
Target: x86_64-unknown-linux-gnu

root@56a5c7b80758:/code# cat Sources/main.swift
import Foundation
#if canImport(FoundationNetworking)
import FoundationNetworking
// work around for https://github.com/swiftlang/swift-corelibs-foundation/issues/4644
_ = URLSession.shared
#endif

do {
        guard CommandLine.argc > 1 else {
                print("pass a url argument")
                exit(1)
        }

        let arg = CommandLine.arguments[1]

        let u = URL(string: arg)?.scheme == nil
                        ? URL(filePath: arg).standardizedFileURL : URL(string: arg)!
        let d = try Data(contentsOf: u)
        print("loaded \(d.count) bytes from \(u.absoluteString)")
} catch {
        print("Error: \(error.localizedDescription)")
}

When built with static sdk http works, but https does not:
export URLSessionDebugLibcurl=true set for debug output.

root@56a5c7b80758:/code# swift build --swift-sdk x86_64-swift-linux-musl

Building for debugging...
clang: warning: argument unused during compilation: '-pie' [-Wunused-command-line-argument]
[8/8] Linking swift-contents-of
Build complete! (4.15s)
root@56a5c7b80758:/code#
root@56a5c7b80758:/code# .build/debug/swift-contents-of http://www.example.com/
2025-01-19 08:34:45.067 swift-contents-of[1768:ff7eeb38] [1]                   Host www.example.com:80 was resolved.␊
2025-01-19 08:34:45.073 swift-contents-of[1768:ff7eeb38] [1]                   IPv6: 2600:1408:5400:22::b819:7f92, 2600:1408:5400:22::b819:7f8a␊
2025-01-19 08:34:45.073 swift-contents-of[1768:ff7eeb38] [1]                   IPv4: 23.205.106.181, 23.205.106.185␊
2025-01-19 08:34:45.076 swift-contents-of[1768:ff7eeb38] [1]                     Trying 23.205.106.181:80...␊
2025-01-19 08:34:45.279 swift-contents-of[1768:ff7eeb38] [1]                     Trying [2600:1408:5400:22::b819:7f92]:80...␊
2025-01-19 08:34:45.280 swift-contents-of[1768:ff7eeb38] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f92: Network unreachable␊
2025-01-19 08:34:45.281 swift-contents-of[1768:ff7eeb38] [1]                     Trying [2600:1408:5400:22::b819:7f8a]:80...␊
2025-01-19 08:34:45.282 swift-contents-of[1768:ff7eeb38] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f8a: Network unreachable␊
2025-01-19 08:34:45.443 swift-contents-of[1768:ff7eeb38] [1]                   Connected to www.example.com (23.205.106.181) port 80␊
2025-01-19 08:34:45.448 swift-contents-of[1768:ff7eeb38] [1] => Send header    GET / HTTP/1.1␍␊Host: www.example.com␍␊Accept: */*␍␊Accept-Encoding: deflate, gzip␍␊Connection: keep-alive␍␊User-Agent: swift-contents-of (unknown version) curl/8.7.0␍␊Accept-Language: en␍␊␍␊
2025-01-19 08:34:45.450 swift-contents-of[1768:ff7eeb38] [1]                   Request completely sent off␊
2025-01-19 08:34:45.855 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    HTTP/1.1 200 OK␍␊
2025-01-19 08:34:45.857 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Accept-Ranges: bytes␍␊
2025-01-19 08:34:45.858 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Content-Type: text/html␍␊
2025-01-19 08:34:45.858 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    ETag: "84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134"␍␊
2025-01-19 08:34:45.858 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Last-Modified: Mon, 13 Jan 2025 20:11:20 GMT␍␊
2025-01-19 08:34:45.858 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Vary: Accept-Encoding␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Content-Encoding: gzip␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Content-Length: 648␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Cache-Control: max-age=2591␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Date: Sun, 19 Jan 2025 08:34:45 GMT␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    Connection: keep-alive␍␊
2025-01-19 08:34:45.859 swift-contents-of[1768:ff7eeb38] [1] <= Recv header    ␍␊
2025-01-19 08:34:45.865 swift-contents-of[1768:ff7eeb38] [1] <= Recv data
2025-01-19 08:34:45.867 swift-contents-of[1768:ff7eeb38] [1]                   Connection #0 to host www.example.com left intact␊
loaded 1256 bytes from http://www.example.com/

failing https:

root@56a5c7b80758:/code# .build/debug/swift-contents-of https://www.example.com/
2025-01-19 08:34:49.201 swift-contents-of[1774:ff7eeb38] [1]                   Host www.example.com:443 was resolved.␊
2025-01-19 08:34:49.206 swift-contents-of[1774:ff7eeb38] [1]                   IPv6: 2600:1408:5400:22::b819:7f92, 2600:1408:5400:22::b819:7f8a␊
2025-01-19 08:34:49.206 swift-contents-of[1774:ff7eeb38] [1]                   IPv4: 23.205.106.181, 23.205.106.185␊
2025-01-19 08:34:49.208 swift-contents-of[1774:ff7eeb38] [1]                     Trying 23.205.106.181:443...␊
2025-01-19 08:34:49.408 swift-contents-of[1774:ff7eeb38] [1]                     Trying [2600:1408:5400:22::b819:7f92]:443...␊
2025-01-19 08:34:49.409 swift-contents-of[1774:ff7eeb38] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f92: Network unreachable␊
2025-01-19 08:34:49.411 swift-contents-of[1774:ff7eeb38] [1]                     Trying [2600:1408:5400:22::b819:7f8a]:443...␊
2025-01-19 08:34:49.411 swift-contents-of[1774:ff7eeb38] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f8a: Network unreachable␊
2025-01-19 08:34:49.597 swift-contents-of[1774:ff7eeb38] [1]                   Connected to www.example.com (23.205.106.181) port 443␊
2025-01-19 08:34:49.606 swift-contents-of[1774:ff7eeb38] [1]                   ALPN: curl offers http/1.1␊
2025-01-19 08:34:49.620 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␖␃␁␂␀
2025-01-19 08:34:49.620 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.2 (OUT), TLS handshake, Client hello (1):␊
2025-01-19 08:34:49.622 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␖␃␃␀z
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.2 (IN), TLS handshake, Server hello (2):␊
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␔␃␃␀␁
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):␊
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␁
2025-01-19 08:34:50.013 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␔␃␃␀␁
2025-01-19 08:34:50.013 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␗␃␃␀4
2025-01-19 08:34:50.014 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):␊
2025-01-19 08:34:50.014 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␈␀␀␟␀␝␀␀␀␀␀␊␀␆␀␄␀␗␀␝␀␐␀␋␀␉␈http/1.1
2025-01-19 08:34:50.014 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␗␃␃␉?
2025-01-19 08:34:50.015 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.3 (IN), TLS handshake, Certificate (11):␊
2025-01-19 08:34:50.015 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data
2025-01-19 08:34:50.018 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␗␃␃␀a
2025-01-19 08:34:50.018 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.3 (IN), TLS handshake, CERT verify (15):␊
2025-01-19 08:34:50.018 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data
2025-01-19 08:34:50.020 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␗␃␃␀␓
2025-01-19 08:34:50.020 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.3 (OUT), TLS alert, unknown CA (560):␊
2025-01-19 08:34:50.020 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␂0
2025-01-19 08:34:50.020 swift-contents-of[1774:ff7eeb38] [1]                   SSL certificate problem: unable to get local issuer certificate␊
2025-01-19 08:34:50.021 swift-contents-of[1774:ff7eeb38] [1]                   Closing connection␊
Error: The operation could not be completed. (NSCocoaErrorDomain error 256.)

Without static sdk, https works fine:

root@56a5c7b80758:/code# swift build
Building for debugging...
[8/8] Linking swift-contents-of
Build complete! (6.83s)
root@56a5c7b80758:/code# .build/debug/swift-contents-of https://www.example.com/
2025-01-19 08:37:42.919 swift-contents-of[1989:fa2eb6c0] [1]                   Host www.example.com:443 was resolved.␊
2025-01-19 08:37:42.923 swift-contents-of[1989:fa2eb6c0] [1]                   IPv6: 2600:1408:5400:22::b819:7f8a, 2600:1408:5400:22::b819:7f92␊
2025-01-19 08:37:42.924 swift-contents-of[1989:fa2eb6c0] [1]                   IPv4: 23.205.106.185, 23.205.106.181␊
2025-01-19 08:37:42.926 swift-contents-of[1989:fa2eb6c0] [1]                     Trying 23.205.106.185:443...␊
2025-01-19 08:37:43.130 swift-contents-of[1989:fa2eb6c0] [1]                     Trying [2600:1408:5400:22::b819:7f8a]:443...␊
2025-01-19 08:37:43.133 swift-contents-of[1989:fa2eb6c0] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f8a: Network is unreachable␊
2025-01-19 08:37:43.134 swift-contents-of[1989:fa2eb6c0] [1]                     Trying [2600:1408:5400:22::b819:7f92]:443...␊
2025-01-19 08:37:43.134 swift-contents-of[1989:fa2eb6c0] [1]                   Immediate connect fail for 2600:1408:5400:22::b819:7f92: Network is unreachable␊
2025-01-19 08:37:43.299 swift-contents-of[1989:fa2eb6c0] [1]                   Connected to www.example.com (23.205.106.185) port 443␊
2025-01-19 08:37:43.337 swift-contents-of[1989:fa2eb6c0] [1]                   ALPN: curl offers h2,http/1.1␊
2025-01-19 08:37:43.348 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␖␃␁␂␀
2025-01-19 08:37:43.348 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (OUT), TLS handshake, Client hello (1):␊
2025-01-19 08:37:43.349 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data
2025-01-19 08:37:43.384 swift-contents-of[1989:fa2eb6c0] [1]                    CAfile: /etc/ssl/certs/ca-certificates.crt␊
2025-01-19 08:37:43.384 swift-contents-of[1989:fa2eb6c0] [1]                    CApath: /etc/ssl/certs␊
2025-01-19 08:37:43.751 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖␃␃␀z
2025-01-19 08:37:43.752 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Server hello (2):␊
2025-01-19 08:37:43.752 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:43.756 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␔␃␃␀␁
2025-01-19 08:37:43.756 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␀.
2025-01-19 08:37:43.757 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:43.757 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):␊
2025-01-19 08:37:43.757 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␈␀␀␙␀␗␀␀␀␀␀␊␀␆␀␄␀␗␀␝␀␐␀␅␀␃␂h2
2025-01-19 08:37:43.757 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␉?
2025-01-19 08:37:43.758 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:43.758 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Certificate (11):␊
2025-01-19 08:37:43.758 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:43.765 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␀a
2025-01-19 08:37:43.765 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:43.765 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, CERT verify (15):␊
2025-01-19 08:37:43.765 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:43.767 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␀E
2025-01-19 08:37:43.767 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:43.767 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Finished (20):␊
2025-01-19 08:37:43.767 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␔␃␃␀␁
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):␊
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␁
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗␃␃␀E
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␖
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (OUT), TLS handshake, Finished (20):␊
2025-01-19 08:37:43.768 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data
2025-01-19 08:37:43.769 swift-contents-of[1989:fa2eb6c0] [1]                   SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey␊
2025-01-19 08:37:43.769 swift-contents-of[1989:fa2eb6c0] [1]                   ALPN: server accepted h2␊
2025-01-19 08:37:43.769 swift-contents-of[1989:fa2eb6c0] [1]                   Server certificate:␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    subject: C=US; ST=California; L=Los Angeles; O=Internet Corporation for Assigned Names and Numbers; CN=*.example.com␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    start date: Jan 15 00:00:00 2025 GMT␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    expire date: Jan 15 23:59:59 2026 GMT␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    subjectAltName: host "www.example.com" matched cert's "*.example.com"␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                    SSL certificate verify ok.␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                     Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                     Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384␊
2025-01-19 08:37:43.770 swift-contents-of[1989:fa2eb6c0] [1]                     Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384␊
2025-01-19 08:37:43.773 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗␃␃␀Q
2025-01-19 08:37:43.773 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗
2025-01-19 08:37:43.773 swift-contents-of[1989:fa2eb6c0] [1]                   using HTTP/2␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] OPENED stream for https://www.example.com/␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [:method: GET]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [:scheme: https]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [:authority: www.example.com]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [:path: /]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [accept: */*]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [accept-encoding: deflate, gzip, br, zstd]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [user-agent: swift-contents-of (unknown version) curl/8.5.0]␊
2025-01-19 08:37:43.774 swift-contents-of[1989:fa2eb6c0] [1]                   [HTTP/2] [1] [accept-language: en]␊
2025-01-19 08:37:43.775 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗␃␃␀l
2025-01-19 08:37:43.775 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗
2025-01-19 08:37:43.775 swift-contents-of[1989:fa2eb6c0] [1] => Send header    GET / HTTP/2␍␊Host: www.example.com␍␊Accept: */*␍␊Accept-Encoding: deflate, gzip, br, zstd␍␊Connection: keep-alive␍␊User-Agent: swift-contents-of (unknown version) curl/8.5.0␍␊Accept-Language: en␍␊␍␊
2025-01-19 08:37:44.158 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␁␚
2025-01-19 08:37:44.158 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:44.158 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):␊
2025-01-19 08:37:44.158 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␁␚
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␖
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):␊
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1]                   old SSL session ID is stale, removing␊
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␀8
2025-01-19 08:37:44.160 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗
2025-01-19 08:37:44.161 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␀␚
2025-01-19 08:37:44.161 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗
2025-01-19 08:37:44.161 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗␃␃␁␊
2025-01-19 08:37:44.161 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗
2025-01-19 08:37:44.162 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data
2025-01-19 08:37:44.162 swift-contents-of[1989:fa2eb6c0] [1] <= Recv SSL data  ␗
2025-01-19 08:37:44.162 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗␃␃␀␚
2025-01-19 08:37:44.162 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␗
2025-01-19 08:37:44.163 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    HTTP/2 200 ␍␊
2025-01-19 08:37:44.165 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    accept-ranges: bytes␍␊
2025-01-19 08:37:44.166 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    content-type: text/html␍␊
2025-01-19 08:37:44.166 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    etag: "84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134"␍␊
2025-01-19 08:37:44.166 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    last-modified: Mon, 13 Jan 2025 20:11:20 GMT␍␊
2025-01-19 08:37:44.166 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    vary: Accept-Encoding␍␊
2025-01-19 08:37:44.167 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    content-encoding: gzip␍␊
2025-01-19 08:37:44.167 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    content-length: 648␍␊
2025-01-19 08:37:44.167 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    cache-control: max-age=2292␍␊
2025-01-19 08:37:44.167 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    date: Sun, 19 Jan 2025 08:37:44 GMT␍␊
2025-01-19 08:37:44.167 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    alt-svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,h3-Q050=":443"; ma=93600,quic=":443"; ma=93600; v="46,43"␍␊
2025-01-19 08:37:44.171 swift-contents-of[1989:fa2eb6c0] [1] <= Recv header    ␍␊
2025-01-19 08:37:44.171 swift-contents-of[1989:fa2eb6c0] [1] <= Recv data
2025-01-19 08:37:44.174 swift-contents-of[1989:fa2eb6c0] [1]                   Connection #0 to host www.example.com left intact␊
loaded 1256 bytes from https://www.example.com/

When using non-static libcurl, I see TLSv1.3 is selected immediately:

2025-01-19 08:37:43.299 swift-contents-of[1989:fa2eb6c0] [1]                   Connected to www.example.com (23.205.106.185) port 443␊
2025-01-19 08:37:43.337 swift-contents-of[1989:fa2eb6c0] [1]                   ALPN: curl offers h2,http/1.1␊
2025-01-19 08:37:43.348 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data  ␖␃␁␂␀
2025-01-19 08:37:43.348 swift-contents-of[1989:fa2eb6c0] [1]                   TLSv1.3 (OUT), TLS handshake, Client hello (1):␊
2025-01-19 08:37:43.349 swift-contents-of[1989:fa2eb6c0] [1] => Send SSL data
2025-01-19 08:37:43.384 swift-contents-of[1989:fa2eb6c0] [1]                    CAfile: /etc/ssl/certs/ca-certificates.crt␊
2025-01-19 08:37:43.384 swift-contents-of[1989:fa2eb6c0] [1]                    CApath: /etc/ssl/certs␊

When using static libcurl, it uses TLSv1.2 and doesn't offer h2:

2025-01-19 08:34:49.597 swift-contents-of[1774:ff7eeb38] [1]                   Connected to www.example.com (23.205.106.181) port 443␊
2025-01-19 08:34:49.606 swift-contents-of[1774:ff7eeb38] [1]                   ALPN: curl offers http/1.1␊
2025-01-19 08:34:49.620 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data  ␖␃␁␂␀
2025-01-19 08:34:49.620 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.2 (OUT), TLS handshake, Client hello (1):␊
2025-01-19 08:34:49.622 swift-contents-of[1774:ff7eeb38] [1] => Send SSL data
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1] <= Recv SSL data  ␖␃␃␀z
2025-01-19 08:34:50.011 swift-contents-of[1774:ff7eeb38] [1]                   TLSv1.2 (IN), TLS handshake, Server hello (2):␊
@toffaletti toffaletti mentioned this issue Jan 19, 2025
Open
@toffaletti
Copy link
Contributor Author

I also filed #5158 which has me suspicious we might be building the wrong version of foundation.

@toffaletti
Copy link
Contributor Author 

(lldb) p CFURLSessionInfoCAINFO
(const CFURLSessionInfo)  (value = 0)
(lldb) p CFURLSessionInfoCERTINFO
(const CFURLSessionInfo)  (value = 4194338)

#if NS_CURL_CURLINFO_CAINFO_SUPPORTED
CFURLSessionInfo const CFURLSessionInfoCAINFO = { CURLINFO_CAINFO };
#else
CFURLSessionInfo const CFURLSessionInfoCAINFO = { CURLINFO_NONE };
#endif

// 7.84.0 or later
#if LIBCURL_VERSION_MAJOR > 7 || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR > 84) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR == 84 && LIBCURL_VERSION_PATCH >= 0)
#define NS_CURL_CURLINFO_CAINFO_SUPPORTED 1
#else
#define NS_CURL_CURLINFO_CAINFO_SUPPORTED 0
#endif

❯ strings .build/debug/swift-contents-of | grep -i '8.7.0-DEV'
libcurl/8.7.0-DEV
8.7.0-DEV
CLIENT libcurl 8.7.0-DEV
CLIENT libcurl 8.7.0-DEV
CLIENT libcurl 8.7.0-DEV

hmm....

@toffaletti toffaletti linked a pull request Jan 20, 2025 that will close this issue
Open
@toffaletti
Copy link
Contributor Author

OK, I have a theory: #5159

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@toffaletti