cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to tell curl to send my public cert in the handshake?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 29 Jul 2009 11:28:43 +0200 (CEST)

On Tue, 28 Jul 2009, Curt Bogmine wrote:

> 1. Client sends "client hello" along with a random value and the cipher
> suites that the client supports.
> 2. Server responds with a "Sever hello", along with its random value.
> 3. Server sends its cert to the client and optionally requests a public cert
> back from the client.
> 4. Client sends its public cert to the server....

That's not exactly correct. With SSL, the server will always send its
certificate and the client can then verify that using the CA cert bundle. The
client however, may opt to send a client cert to authenticate with the server
(and the server may deny access if you don't provide the correct cert).

But there's no particular "public cert" from a client. You just have the
client cert, which then really is a cert and a private key as both must be
used.

> curl -v "https://123.456.78.90" -F file=@SomeBigFile.txt
>
> The error is: curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate

Odd error, but presumably this is because the handshake wants a client cert to
be provided.

> The receiving party tells me they are expecting me to send them my public
> cert (step 4, above) and it appears curl ain't sending it. This is
> understandable, I guess, since nowhere am I telling curl to send the public
> cert, nor where the public cert is located. The question is:
>
> a) how can I tell curl where my public cert file is stored, and
> b) how can I tell curl to send it?
>
> Note - I don't think the --cert/-E option applies here, because I'm
> concerned with sending my PUBLIC cert and the documentation describes the
> --cert/-E option as relating to the PRIVATE cert.

And herein lies the confusion. There is no "public cert" for you as a client
to send.

> Here's an exerpt from the documentation: "Note that this option assumes a
> "certificate" file that is the private key and the private certificate
> concatenated!" I do have a private key, which I would expect to need when I
> get as far as actually encryping the payload, but I don't think I'm even
> getting that far.

There's only one SSL handshake. You need to provide the client cert and key to
that in order for the handshake to complete if the server requires a client
cert.

Given all this, I really think you want to use the client cert options to
provide a cert and private key to the SSL handshake!

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-29