[gnutls-devel] GnuTLS | Trying to access a certain subdomain results in a stack overflow. (#1726)

Sat, 19 Jul 2025 06:39:38 -0700 


Qriist created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1726



## Description of problem:
Note: I first became aware of this issue trying to solve a WolfSSL issue, and 
then I engaged with curl's devs to further diagnose the problem. I recommend 
reading them for full context.
https://github.com/wolfSSL/wolfssl/issues/9016
https://github.com/curl/curl/issues/17965

Somewhere between GnuTLS and libcurl there is an exception thrown when trying 
to access any url on 
[https://collectionapi.metmuseum.org](https://collectionapi.metmuseum.org). The 
curl devs alerted me to a broken SSL certificate chain via 
https://www.ssllabs.com/ssltest/analyze.html?d=collectionapi.metmuseum.org&latest

Unfortunately, it is not yet clear to me which side of the equation, libcurl or 
GnuTLS, is actually throwing the error. 

However, the error does not occur on the curl dev's macOS machine so it's 
likely something Windows-specific.

## Version of gnutls used:
3.8.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Windows vcpkg

## How reproducible:
100%

Steps to Reproduce:

 * use vcpkg to build libcurl with gnutls flag enabled
 * initialize libcurl with the gnutls backend
 * point libcurl at https://collectionapi.metmuseum.org and run the transfer

## Actual results:
GnuTLS/libcurl immediately generates Windows exception 0xc0000fd 
(`STATUS_STACK_OVERFLOW`).

I do have captured debug information that may help: 
```
Host collectionapi.metmuseum.org:443 was resolved.
IPv6: (none)
IPv4: 45.60.77.20
  Trying 45.60.77.20:443...
GnuTLS priority: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
ALPN: curl offers h2,http/1.1
found 143 certificates in C:\Projects\LibQurl\bin\curl-ca-bundle.crt
```
Based on my testing against another website, the error happens right before 
libcurl would record (something similar to) `SSL connection using TLS1.3 / 
ECDHE_RSA_AES_256_GCM_SHA384`.

## Expected results:
not that

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnutls/gnutls/-/issues/1726
You're receiving this email because of your account on gitlab.com.



_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
  • [gnutls-de... Read-only notification of GnuTLS library development activities
    • Re: [... Read-only notification of GnuTLS library development activities
    • Re: [... Read-only notification of GnuTLS library development activities
    • Re: [... Read-only notification of GnuTLS library development activities

Reply via email to