[gnutls-devel] GnuTLS | Trying to access a certain subdomain results in a stack overflow. (#1726)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sat Jul 19 15:38:24 CEST 2025
Qriist created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1726
## Description of problem:
Note: I first became aware of this issue trying to solve a WolfSSL issue, and then I engaged with curl's devs to further diagnose the problem. I recommend reading them for full context.
https://github.com/wolfSSL/wolfssl/issues/9016
https://github.com/curl/curl/issues/17965
Somewhere between GnuTLS and libcurl there is an exception thrown when trying to access any url on [https://collectionapi.metmuseum.org](https://collectionapi.metmuseum.org). The curl devs alerted me to a broken SSL certificate chain via https://www.ssllabs.com/ssltest/analyze.html?d=collectionapi.metmuseum.org&latest
Unfortunately, it is not yet clear to me which side of the equation, libcurl or GnuTLS, is actually throwing the error.
However, the error does not occur on the curl dev's macOS machine so it's likely something Windows-specific.
## Version of gnutls used:
3.8.7
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Windows vcpkg
## How reproducible:
100%
Steps to Reproduce:
* use vcpkg to build libcurl with gnutls flag enabled
* initialize libcurl with the gnutls backend
* point libcurl at https://collectionapi.metmuseum.org and run the transfer
## Actual results:
GnuTLS/libcurl immediately generates Windows exception 0xc0000fd (`STATUS_STACK_OVERFLOW`).
I do have captured debug information that may help:
```
Host collectionapi.metmuseum.org:443 was resolved.
IPv6: (none)
IPv4: 45.60.77.20
Trying 45.60.77.20:443...
GnuTLS priority: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
ALPN: curl offers h2,http/1.1
found 143 certificates in C:\Projects\LibQurl\bin\curl-ca-bundle.crt
```
Based on my testing against another website, the error happens right before libcurl would record (something similar to) `SSL connection using TLS1.3 / ECDHE_RSA_AES_256_GCM_SHA384`.
## Expected results:
not that
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1726
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250719/e45dec65/attachment.html>
More information about the Gnutls-devel
mailing list