cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Probs with client certificates

From: Georg Horn <horn_at_koblenz-net.de>
Date: Thu, 16 Oct 2003 10:21:13 +0200

Hi,

On Thu, Oct 16, 2003 at 08:57:25AM +0200, Daniel Stenberg wrote:
> On Wed, 15 Oct 2003, Georg Horn wrote:
>
> I'm far from an expert on this, but I'll give it a shot.

Thanks for listening. ;-)

> > $ curl-7.10.7/src/curl -debug -v --cert mgb2003.pem --cacert \
> > postbank-komplett.pem -k https://www2.postbank-banking.de/xmlapi/OB
>
> You should --cacert OR -k, as they kind of defeat each others purposes. But I
> believe -k is ignored in this case.

Ok, that sounds logical, so let's start with the simplest case:

    $ curl-7.10.7/src/curl -v https://www2.postbank-banking.de/xmlapi/OB
    * About to connect() to www2.postbank-banking.de:443
    * Connected to www2.postbank-banking.de (62.180.72.66) port 443
    * error setting certificate verify locations
    * Closing connection #0
    curl: (60) error setting certificate verify locations

Adding -k tells us that a certificate is required:

    $ curl-7.10.7/src/curl -v -k https://www2.postbank-banking.de/xmlapi/OB
    * About to connect() to www2.postbank-banking.de:443
    * Connected to www2.postbank-banking.de (62.180.72.66) port 443
    * SSL connection using DHE-RSA-AES256-SHA
    * Server certificate:
    * subject: /C=DE/ST=NRW/L=Bonn/O=Deutsche Postbank AG/OU=Postbank Electronic Banking/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www2.postbank-banking.de
    * start date: 2003-01-16 00:00:00 GMT
    * expire date: 2004-01-16 23:59:59 GMT
    * common name: www2.postbank-banking.de (matched)
    * issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
> GET /xmlapi/OB HTTP/1.1
    User-Agent: curl/7.10.7 (i686-pc-linux-gnu) libcurl/7.10.7 OpenSSL/0.9.7c zlib/1.1.4
    Host: www2.postbank-banking.de
    Pragma: no-cache
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

    < HTTP/1.1 401 Authorization Required
    < Date: Thu, 16 Oct 2003 08:01:55 GMT
    < Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7b mod_jk
    * Authentication problem. Ignoring this.
    < WWW-Authenticate: Basic realm="Requires valid Client-Certificate"
    [...]

And adding the cert gives me an ssl-error:

    $ > curl-7.10.7/src/curl -v -k --cert mgb2003.pem https://www2.postbank-banking.de/xmlapi/OB
    * About to connect() to www2.postbank-banking.de:443
    * Connected to www2.postbank-banking.de (62.180.72.66) port 443
    Enter PEM pass phrase:
    * SSL connection using DHE-RSA-AES256-SHA
    * Server certificate:
    * subject: /C=DE/ST=NRW/L=Bonn/O=Deutsche Postbank AG/OU=Postbank Electronic Banking/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www2.postbank-banking.de
    * start date: 2003-01-16 00:00:00 GMT
    * expire date: 2004-01-16 23:59:59 GMT
    * common name: www2.postbank-banking.de (matched)
    * issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
> GET /xmlapi/OB HTTP/1.1
    User-Agent: curl/7.10.7 (i686-pc-linux-gnu) libcurl/7.10.7 OpenSSL/0.9.7c zlib/1.1.4
    Host: www2.postbank-banking.de
    Pragma: no-cache
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

    * SSL read error: 1
    * Connection #0 left intact
    curl: (56) SSL read error: 1
    * Closing connection #0

I think here we have a problem/bug?

And adding --cacert instead of -k again results in:

    $ curl-7.10.7/src/curl -v --cacert postbank-komplett.pem --cert mgb2003.pem https://www2.postbank-banking.de/xmlapi/OB
    * About to connect() to www2.postbank-banking.de:443
    * Connected to www2.postbank-banking.de (62.180.72.66) port 443
    Enter PEM pass phrase:
    * SSL certificate problem, verify that the CA cert is OK
    * Closing connection #0
    curl: (60) SSL certificate problem, verify that the CA cert is OK

> This looks as if your CA cert isn't good enough, but perhaps the error
> message is misleading/wrong.

I think the CA cert should be good, as it works with "openssl s_client".
See the logfile that i attached to my previous post. That log was generated
with:

$ openssl s_client -connect www2.postbank-banking.de:443 -prexit -cert mgb2003.pem -CAfile postbank-komplett.pem

> I believe your client cert needs to be your certificate and key concatenated,

It is.

Bye,
Georg

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
Received on 2003-10-16

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Probs with client certificates"
Previous message: Daniel Stenberg: "Re: Probs with client certificates"
In reply to: Daniel Stenberg: "Re: Probs with client certificates"
Next in thread: Daniel Stenberg: "Re: Probs with client certificates"
Reply: Daniel Stenberg: "Re: Probs with client certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]