curl / Mailing Lists / curl-users / Single Mail


Re: How to send an intermediate for a client certificate to the server.

From: Daniel Stenberg <>
Date: Thu, 1 Nov 2018 16:53:26 +0100 (CET)

On Wed, 31 Oct 2018, James Short wrote:

> I'm trying to test mTLS with curl/nginx. The server side client
> verification is going fine as my system ca-certs has the relevant root for
> the server cert/inter chain nginx is sending to curl. However, I have a
> client cert/inter chain that I'm passing via --cert and only the client cert
> (first pem entry) is sent to the server.

(Let me first preface this reply by saying that I'm far from an expert in TLS
and client certs.)

This is probably curl functionality that is TLS backend dependent. You're
using a curl built to use NSS, so maybe there's a bug there.

But also: your curl version (7.29.0) is over five years old. We have quite
literaly fixed thousands of bugs since that was released, and maybe we
improved in this area as well.

> With openssl s_client, I can use -CAfile to include the intermediate as it
> is only used for client cert verification. With curl, if I put the
> intermediate for the client cert in a file and point to it with --cacert,
> then *server* certificate validation fails because the root for the server
> cert validation is no longer there.

Right, because curl's --cacert option is the CA bundle used for verifying the

> The workaround is to concatenate my system root and my client cert
> intermediate into a new file and point to it with --cacert. This tells me
> that --cacert is used for building/verifying both server and client
> certificate chains.

That surprises me, and might also be a TLS backend specific thing. I would've
expected a work-around to concatenate them for the --cert option.

Received on 2018-11-01