net/http: TLS handshake timeout using boa cli

[pkcs11newbie]

Hello,

I have OpenBao v2.2.2, tls enabled server on Windows:

I'm connecting to it via boa cli:

Enabled Wireshark ( bao cli did not send out changecipherspec and after 10secs client drops out which probably why I see timeout)

On the same Windows box: Switched the bao to vault executable:
Started up vault tls enabled server and had no problem connecting to it from Vault CLI.
Wireshark seems to have expected traffic:

What could be the cause of this difference ? localhost is mapped to IPV6. is there a bug in OpenBao on that front? Appreciate any help.
Thanks.

[pkcs11newbie]

The cause was OpenBao CLI codebase looked into system CA cert pool taking longer than 10sec. Also, VAULT_CACERT provided.
Will file bug report to get resolution.

[cipherboy]

@pkcs11newbie Interesting! It seems like perhaps a Go bug, that timeout of system CA cert pool causes connection issues? We have made some modifications here that could explain the differences between Vault and OpenBao: #574 (cc @fatima2003) -- I wonder if this plastered over an issue with the system CA pool on Windows?

golang/go#74370 seems like it might be related, though dubious of cause.

[fatima2003]

Hmm, let me try and recreate this issue

[pkcs11newbie]

Thank you both for looking into this. I have filed a bug report on this matter:
#1510

Based on my investigation, api\rootcerts.go ( within OpenBao codebase) exposes a variable that by default is set to false and looks into system ca cert even when VAULT_CACERT was provided.

[pkcs11newbie]

Appreciate if you can let me know the status on this.

Thanks.