Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

SSL problem

From: Hofer Tamás András <rrhta_at_freemail.hu>
Date: Fri, 06 Dec 2002 10:51:30 +0100

Hi,

I have a problem running curl in a limited boot disk environment. I am
not sure what the problem could be, I hope you can help me.

The software is curl-7.10.2, openssl-0.9.6g, zlib-1.1.4 compiled with
gcc 3.2. I have both a full Linux system and a boot disk system with the
same software.

In the boot disk environment I try to run:
curl -v -3 --key /usr/cl_1.key --cert /usr/cl_1.crt --cacert
/usr/ca.crt -G -o - --connect-timeout 5
https://192.168.0.222:4724/restore/test2.bin >/dev/null

but I get:
---------------------------------------------------------
* About to connect() to 192.168.0.222:4724
* Connected to 192.168.0.222 (192.168.0.222) port 4724
* unable to set PEM certificate file rc=0 err=5
file: /usr/cl_1.crt
lib: (nil)
func: (nil)
reason: bad asn1 object header
* Closing connection #0
curl: (58) unable to set PEM certificate file rc=0 err=5
file: /usr/cl_1.crt
lib: (nil)
func: (nil)
reason: bad asn1 object header
---------------------------------------------------------

Note that I modified the cert_stuff function in lib/ssluse.c like this:
---------------------------------------------------------
     case SSL_FILETYPE_PEM:
       /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
       if ((rc = SSL_CTX_use_certificate_chain_file(conn->ssl.ctx,
                                              cert_file)) != 1) {
         unsigned long err = SSL_get_error(conn->ssl.handle, rc);
         SSL_load_error_strings();
         failf(data, "unable to set PEM certificate file rc=%d
err=%lu\nfile: %s\nlib: %s\nfunc: %s\nreason: %s\n",
             rc,
             err,
             cert_file,
             ERR_lib_error_string(err),
             ERR_func_error_string(err),
             ERR_reason_error_string(err));
         return 0;
       }
       break;
---------------------------------------------------------
so that it prints the the openssl errors as well. Also note, that I am
not into openssl, so it might be all wrong.

The same command works fine on the normal (ie. not boot disk) system
with the same server.

I also tried to run openssl s_client from the boot disk like this:
echo "nothing" | openssl s_client -key /usr/cl_1.key -cert /usr/cl_1.crt
  -CAfile /usr/ca.crt -connect 192.168.0.222:4724

and it seems that there are no problems here:
---------------------------------------------------------
depth=1
/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
verify return:1
depth=0
/C=HU/ST=N/A/L=N/A/O=N/A/OU=Backwire/CN=192.168.0.222/Email=info_at_netservice.hu
verify return:1
CONNECTED(00000003) 

---
Certificate chain
  0 
s:/C=HU/ST=N/A/L=N/A/O=N/A/OU=Backwire/CN=192.168.0.222/Email=info_at_netservice.hu
    i:/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
  1 s:/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
    i:/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdzCCAl8CAQAwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCSFUxDDAKBgNV
BAgTA04vQTEMMAoGA1UEBxMDTi9BMQwwCgYDVQQKEwNOL0ExDDAKBgNVBAsTA04v
QTETMBEGA1UEAxMKQmFja3dpcmVDQTEhMB8GCSqGSIb3DQEJARYSaW5mb0BuZXRz
ZXJ2aWNlLmh1MB4XDTAyMTIwNDA4NDUyMVoXDTA3MTIwNDA4NDUyMVowgYUxCzAJ
BgNVBAYTAkhVMQwwCgYDVQQIEwNOL0ExDDAKBgNVBAcTA04vQTEMMAoGA1UEChMD
Ti9BMREwDwYDVQQLEwhCYWNrd2lyZTEWMBQGA1UEAxMNMTkyLjE2OC4wLjIyMjEh
MB8GCSqGSIb3DQEJARYSaW5mb0BuZXRzZXJ2aWNlLmh1MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA1dc3gSHCrzDPKFqwUx3rHF+A8jE2YIRPIl9iol4Y
tqUdeiSV/8elbmuCUK3b1tyV9StEGkoZMmPX2lUdZyJE5DpE8N4eZxkB/3y/nXbz
ZrvAZRLUVYOwfYy8YBCtzbc3+qqUi7IPHR3tckzPTxxJHQ3BTo8Am2VWBo8t7Z58
mbflB8ARWCyWNGW7p8aK7OGlcbtjqH1UoqA4xWgHfK5On9bstUij8w2EYWapQt3O
6dfzvPQdUvm7vbRjFTumwOWDmGMe73CP7kBAIyBxsCcf2RyMpL9mAdCExGEWk+cQ
Be/H1vrTX5Z75lWFJZk26VghKHgGKuWcqUemSvME6KPxQwIDAQABMA0GCSqGSIb3
DQEBBAUAA4IBAQDSglA3emi82RwH3oeuFWnUawWR8BkfYa7aPgRp+3ZbzS3tnuP6
YbDzF5htqUvBD4O6iTdXhisXk3/9vJgo5ZYqK2Myz/ZVrLPtG92MLRiADBBhNIhC
3SRH6yoG82OV/v7rmMJanJ3U+UmNMHkcuW4bHaZnmru0jLxXfxHsE7fD005lo5bh
MlAkFlUnT8Ez/0N6tLY9Zai1ox+49Ub0D6ZIlSSj+mPQ3gUMh061LkfUPzdnqAew
/k2QzevU9TzJQoQcS9RsOE3S3Tsq3Db7zoHEKO7cfpqxTaNpqye6r7cHbmIoKmDg
xCKlbi6KCF9sGp/PwNFJZU8xeesT9OSts4bR
-----END CERTIFICATE-----
subject=/C=HU/ST=N/A/L=N/A/O=N/A/OU=Backwire/CN=192.168.0.222/Email=info_at_netservice.hu
issuer=/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
---
Acceptable client certificate CA names
/C=HU/ST=N/A/L=N/A/O=N/A/OU=N/A/CN=BackwireCA/Email=info_at_netservice.hu
---
SSL handshake has read 2088 bytes and written 2517 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
SSL-Session:
     Protocol  : SSLv3
     Cipher    : RC4-SHA
     Session-ID: 
3210F8BE50755FE99D02F496DC13EF2FE94E7D6132DD75828FDB14D3F23EAD3F 
Session-ID-ctx:
     Master-Key: 
6A2A831161304E81601BA43D91DB2608664553A0B3360621C580E4342785C1B6924222F6B16279E04A978AF1D793D9C0
     Key-Arg   : None
     Start Time: 1039169306
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
DONE
---------------------------------------------------------
If I understand the openssl documentation correctly, then "verify 
return:1" is OK for the first verifys, and "Verify return code: 0 (ok)" 
is OK for the last one.
Now I am stuck here, because as far as I understand openssl should be 
working, but curl returns an openssl error. The same thing works in the 
"normal" environment. I suppose I left out something from the boot disk, 
but I can not figure out what...
Can anyone help?
TIA,
Thomas Andrew Hofer.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-12-06