cURL / Mailing Lists / curl-users / Single Mail

curl-users

Using SSL with Client Certs : empty reply from server

From: Manuel Reyes <Manuel.Reyes_at_e-mis.com>
Date: Wed, 27 Jul 2005 17:45:38 +0100

Hello list,

I am attempting to use curl to connect to an SSL site that requires a
client certificate, when I send the request I get the following
response:

-------------------
curl: (52) Empty reply from server
-------------------

Whereas I am expecting to see the raw HTML of page I am requesting.

I am attempting to make this connection using the following command
line:

-------------------
Curl --url https://myserver.com
-------------------

The server in question has the following certificate chain:

Root
-Sub
--Server Cert

This server also requires me to submit a client certificate.

All 4 certificates have been added to the curl-ca-bundle.crt file that
exists in the same directory as the curl executable and libcurl.dll.
The certificate information I have added is as follows:

-----BEGIN CERTIFICATE-----
XXX here be cert data XXX
-----END CERTIFICATE-----

Obviously I have added 4 of these for each of the certificates required.

If I remove the root certificate from the bundle curl the command
detailed above gives me the following response:

-------------------
curl: (60) SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default bundle
is named curl-ca-bundle.crt; you can specify an alternate file using the
--cacert option. If this HTTPS server uses a certificate signed by a CA
represented in the bundle, the certificate verification probably failed
due to a problem with the certificate (it might be expired, or the name
might not match the domain name in the URL). If you'd like to turn off
curl's verification of the certificate, use the -k (or --insecure)
option.
-------------------

If I using a browser to navigate to the server in question, I am
challenged for a client certificate to use (in the menu I select the
same client certificate I mentioned earlier). After this challenge the
site pages are displayed as normal.

Can anybody tell me where I am obviously going wrong here?
Received on 2005-07-27