MbedTLS error on WSL

General Usage
1

Hello,
I run Julia on Win 11 within WSL2 (Debian), in general without issues so far. But recently I encountered the following issue with MbedTLS, when I attempt to create a SSLConfig.

MWE

# installing MbedTLS in a clean, temporary environment
using Pkg
Pkg.activate(; temp=true)
Pkg.add("MbedTLS")
using MbedTLS

# creating a SSLConfig
MbedTLS.SSLConfig(false)

Result

ERROR: MbedTLS error code 1: ERROR - Generic error
Stacktrace:
 [1] mbed_err(ret::Int32)
   @ MbedTLS ~/.julia/packages/MbedTLS/Vaaz8/src/error.jl:17
 [2] crt_parse!
   @ ~/.julia/packages/MbedTLS/Vaaz8/src/x509_crt.jl:32 [inlined]
 [3] crt_parse
   @ ~/.julia/packages/MbedTLS/Vaaz8/src/x509_crt.jl:42 [inlined]
 [4] ca_chain!
   @ ~/.julia/packages/MbedTLS/Vaaz8/src/ssl.jl:513 [inlined]
 [5] SSLConfig(verify::Bool; log_secrets::Nothing)
   @ MbedTLS ~/.julia/packages/MbedTLS/Vaaz8/src/MbedTLS.jl:150
 [6] SSLConfig(verify::Bool)
   @ MbedTLS ~/.julia/packages/MbedTLS/Vaaz8/src/MbedTLS.jl:132
 [7] top-level scope
   @ REPL[5]:1

I have the same issue with Julia 1.12.0 and 1.10.10.
On Win 11 I don’t have the issue also on a “real” (not WSL2) Debian system I can’t reproduce the issue.

Anyone having an idea how to solve the problem on WSL2 or faced a similar challenge before?

Thank you!
Stefan

2

I have no solution for you but maybe a pointer to a workaround.

First:

MbedTLS.SSLConfig(false)

works for me seemingly, on Linux Mint, so likely should too on Ubuntu and Debian, and all distros; also should on Windows (at least without any WSL).

You get something similar with?:

julia> MbedTLS.DEFAULT_CERT[]
"-----BEGIN CERTIFICATE-----\nMII..." ⋯ 217698 bytes ⋯ "...\n-----END CERTIFICATE-----\n"

I’m just ruling out the certificate buf string missing, I doubt it’s supposed to be secret I just shortened it in case (and it seems to come from this 200 KB file bundled with Julia, no wander small binaries can’t be made, that’s many times larger than the memory of my first computer!):

You’re ultimately calling:

function crt_parse!(chain, buf::String)
    ret = ccall((:mbedtls_x509_crt_parse, libmbedx509), Cint,
        (Ptr{Cvoid}, Ptr{UInt8}, Csize_t),
        chain.data, buf, sizeof(buf)+1)
    ret == 0 || mbed_err(ret)
    chain
end

[For me ok, since ret == 0, not sure why error/ret code for you exactly and you get an error.]

I don’t know why not working for you, but you should know Julia switched to OpenSSL, so you should try with that? I.e. with a package:

using OpenSSL

It doesn’t have SSLConfig so not exact same API, I think comparable functionality, not sure, but maybe ssl_set_options is a replacement there.

MbedTLS removed

It’s a large PR, but seemingly still just replacing, mostly using same API. But note I see in the PR stuff like:

if !(Sys.iswindows() || Sys.isapple())
    # On Windows and macOS we use system SSL/crypto libraries
    using OpenSSL_jll

and:

if Sys.iswindows()
    if arch(HostPlatform()) == "x86_64"
        const libcrypto = "libcrypto-3-x64.dll"
        const libssl = "libssl-3-x64.dll"
    else
        const libcrypto = "libcrypto-3.dll"
        const libssl = "libssl-3.dll"
    end
elseif Sys.isapple()
    const libcrypto = "@rpath/libcrypto.3.dylib"
    const libssl = "@rpath/libssl.3.dylib"
else

and this would bypass OpenSLL, on Windows, i.e. use system crypto, and overlook WSL (which might be a good thing, or not).

Is this only about WSL2? I.e. works on older WSL [version 1]? Probably MbedTLS (or OpenSSL) never worked there with WSL2 that uses a Linux kernel (WSL 1 is a Linux compatibility API without a Linux kernel), nor with original WSL? I can’t say for sure if OpenSSL will not work either.

Both packages should still work on Windows (without any WSL), OpenSSL is tested there too, and MbedTLS has support for (but not sure about on WSL, such tests might interfere, since if you’re on Windows, it may be presumed you’re not using WSL):

OpenSLL package also uses iswindows, then not conditional on version.

Note “WSL2 (Ubuntu LTS)” is only a tier 2 platform. That likely translates to later Ubuntu and also e.g. Debian, but doesn’t say much about (SSL or TLS, at least in) packages.

Note also there is (but not used by the OpenSSL package):

Sys.detectwsl()

Runtime predicate for testing if Julia is running inside
Windows Subsystem for Linux (WSL).

!!! note
Unlike Sys.iswindows, Sys.islinux etc., this is a runtime test, and thus
cannot meaningfully be used in @static if constructs.

!!! compat “Julia 1.12”
This function requires at least Julia 1.12.
“”"
function detectwsl()
# We use the same approach as canonical/snapd do to detect WSL
islinux() && (
isfile(“/proc/sys/fs/binfmt_misc/WSLInterop”)
|| isdir(“/run/WSL”)
)
end

For my curiosity can you look at that file; I assume you have it, and tell me what’s in it?

I assume this is to detect WSL 2 (likely also detects original WSL, though not sure; it’s not supported in any (other) way by Julia, nor any longer if I recall by Microsoft).

3

Thank you for the elaborate response, I will go through this on Monday.

BR Stefan

4

Hallo @Palli,

I checked MbedTLS.DEFAULT_CERT[], it returns the expected string.

I can’t check if this also happens on WSL (version 1), I only have WSL2 on my machine.

What I actually try to do is requesting some HTTP endpoints, with self-signed certificates, with HTTP.jl. However, I’m afraid I can only disable the certificate verification of HTTP.jl with the SSLConfig generated via MbedTLS so I can’t use OpenSSL.jl in this case.

Or would you know of any other way to achive that goal?

For now I’m falling back to the native Windows version.

Also, I don’t have a /proc/sys/fs/binfmt_misc/WSLInterop, but /proc/sys/fs/binfmt_misc/WSLInterop-late. It contains the following:

enabled
interpreter /init
flags: P
offset 0
magic 4d5a

However I have the directory /run/WSL/, so Sys.detectwsl() works.

BR Stefan

1 Like