TlsInitializationFailed thrown on http request

saenai255 · August 26, 2023, 11:59pm

Hello Zig community,

I am currently in the process of learning Zig, a language that I have come to love. However, I have encountered a roadblock in the form of a TlsInitializationFailed error. I’ve provided a sample code snippet below that reproduces this error.

At the moment, I am using zig 0.12.0-dev.167+dd6a9caea on WSL2, which is running Ubuntu. I suspect that Zig uses openssl under the hood, and this could potentially be the cause of the error. My current openssl version is 3.0.2-0ubuntu1.10.

Thank you for any assistance or insights you can provide.

const std = @import("std");

const http = std.http;
const allocator = std.heap.page_allocator;
const log = std.debug.print;

pub fn main() !void {
    var client: http.Client = .{ .allocator = allocator };
    defer client.deinit();

    var request = try client.request(http.Method.GET, try std.Uri.parse("https://pacstall.dev/api/packages/1password-cli-bin"), .{ .allocator = allocator }, .{}); // <<-- fails here
    defer request.deinit();
    try request.start();
    try request.wait();
    log("response {}\n", .{request.response.status});
}

Here’s the stacktrace:

error: TlsInitializationFailed
/home/saenai/Library/zig-linux-x86_64-0.12.0/lib/std/crypto/tls.zig:200:9: 0x3b248e in toError (main)
        return switch (alert) {
        ^
/home/saenai/Library/zig-linux-x86_64-0.12.0/lib/std/crypto/tls/Client.zig:255:17: 0x38da47 in init__anon_10436 (main)
                try desc.toError();
                ^
/home/saenai/Library/zig-linux-x86_64-0.12.0/lib/std/http/Client.zig:912:103: 0x2cadde in connectUnproxied (main)
            conn.data.tls_client.* = std.crypto.tls.Client.init(stream, client.ca_bundle, host) catch return error.TlsInitializationFailed;
                                                                                                      ^
/home/saenai/Library/zig-linux-x86_64-0.12.0/lib/std/http/Client.zig:947:9: 0x291af6 in connect (main)
        return client.connectUnproxied(host, port, protocol);
        ^
/home/saenai/Library/zig-linux-x86_64-0.12.0/lib/std/http/Client.zig:1012:44: 0x28b0ba in request (main)
    const conn = options.connection orelse try client.connect(host, port, protocol);
                                           ^
/home/saenai/Code/zig-app/src/main.zig:11:19: 0x28a519 in main (main)
    var request = try client.request(http.Method.GET, try std.Uri.parse("https://pacstall.dev/api/packages/1password-cli-bin"), .{ .allocator = allocator }, .{});

Edit:
I’ve tested other URIs like https://jsonplaceholder.typicode.com/todos/1, and they work. But I’m still unsure why it’s not working for pacstall.dev, as the domain certificate is valid. Any help is appreciated.

gonzo · August 27, 2023, 8:35am

I understand zig’s current TLS implementation only supports TLS 1.3.

You can ascertain that there is a difference between the two URLs like this:

$ curl -v https://jsonplaceholder.typicode.com/todos/1 2>&1 | egrep 'SSL connection using TLS'
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256

$ curl -v https://pacstall.dev/api/packages/1password-cli-bin 2>&1 | egrep 'SSL connection using TLS'
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384