cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Probs with client certificates

From: Georg Horn <horn_at_koblenz-net.de>
Date: Wed, 22 Oct 2003 18:37:06 +0200

On Sun, Oct 19, 2003 at 07:34:55PM +0200, Daniel Stenberg wrote:
> On Fri, 17 Oct 2003, Georg Horn wrote:

> > $ src/curl --cert /tmp/mgb2003.pem -k
> > https://www2.postbank-banking.de/xmlapi/OB
> > Enter PEM pass phrase:
> > curl: (56) SSL read: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> > alert unknown ca, errno 0
>
> Isn't this too identifying a bug? I mean, if we use -k we want to ignore the
> status of the server's certficate and thís doesn't, right?

I'm not sure. Curl ignores the result of the certificate verification, if -k
(and no -cacert) is given on the commandline, but this server seems to really
interrupt the connection, if the client doesn't (try to) verify the servers
certificate. I get the same result with openssl s_client:

    $ openssl s_client -cert mgb2003.pem \
        -connect www1.postbank-banking.de:443 -prexit
    [...]
    GET /xmlapi/OB
    depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    17675:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48
    17675:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:989:
    [...]

If i verify the servers certificate, the server answers to my reply, even
if the verification didn't really succeed:

    $ openssl s_client -cert mgb2003.pem -CAfile ca-bundle-nurpost.crt \
        -connect www1.postbank-banking.de:443 -prexit
    Verify return code: 19 (self signed certificate in certificate chain)
    ---
    GET /xmlapi/OB
    depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    read R BLOCK
    <HTML><HEAD><TITLE>
    OpenBUHL Servlet R2.41.6.2 HTTP GET Request

I don't really understand how all this works, but it seems to be so...

So i think the only problem in curl is, that -k is ignored if -cacert is
used.

> > - make curl able to continue with a warning even if certificate verification
> > fails, like "openssl s_client" does? (My tries with s_client didn't really
> > work, it always said "Verify return code: 19 (self signed certificate in
> > certificate chain)" and continued anyway, but now it says "Verify return
> > code: 0 (ok)"
>
> That would be cool and would indeed fit when -k is used. Do you think you can
> work on a patch doing this as you can repeat the situation nicely?

Yes, see the attached patch. It allows the user to use -k and -cacert
at the same time, and gives some more info about the certificate verification
if using -v. I hope i didn't break something else, but it works here.

Bye,
Georg

-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54

Received on 2003-10-22