Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to send an intermediate for a client certificate to the server.

From: James Short <james.short_at_alumni.duke.edu>
Date: Thu, 1 Nov 2018 14:15:51 -0700

Thanks for your response!

I got the 7.29.0 source and compiled with openssl instead and I just can
include the cert/inter chain in --cert and it works fine.

I guess NSS does things in contention with the curl documentation :(. I'm
limited to this curl as it is in our yum repos. I might add a new one with
updated curl and have it compiled with OpenSSL instead.

On Thu, Nov 1, 2018 at 9:45 AM Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Thursday, November 1, 2018 4:53:26 PM CET Daniel Stenberg wrote:
> > On Wed, 31 Oct 2018, James Short wrote:
> > > I'm trying to test mTLS with curl/nginx. The server side client
> > > verification is going fine as my system ca-certs has the relevant root
> for
> > > the server cert/inter chain nginx is sending to curl. However, I have
> a
> > > client cert/inter chain that I'm passing via --cert and only the client
> > > cert (first pem entry) is sent to the server.
> >
> > (Let me first preface this reply by saying that I'm far from an expert in
> > TLS and client certs.)
> >
> > This is probably curl functionality that is TLS backend dependent. You're
> > using a curl built to use NSS, so maybe there's a bug there.
> >
> > But also: your curl version (7.29.0) is over five years old. We have
> quite
> > literaly fixed thousands of bugs since that was released, and maybe we
> > improved in this area as well.
> >
> > > With openssl s_client, I can use -CAfile to include the intermediate
> as it
> > > is only used for client cert verification. With curl, if I put the
> > > intermediate for the client cert in a file and point to it with
> --cacert,
> > > then *server* certificate validation fails because the root for the
> server
> > > cert validation is no longer there.
> >
> > Right, because curl's --cacert option is the CA bundle used for verifying
> > the server.
> >
> > > The workaround is to concatenate my system root and my client cert
> > > intermediate into a new file and point to it with --cacert. This
> tells me
> > > that --cacert is used for building/verifying both server and client
> > > certificate chains.
> >
> > That surprises me, and might also be a TLS backend specific thing. I
> > would've expected a work-around to concatenate them for the --cert
> option.
>
> This use-case was discussed at the following upstream issue:
>
> https://github.com/curl/curl/issues/851
>
> The ability of libcurl to load certificates from files is limited when it
> uses
> NSS for TLS. Not that I tried it myself but you should be able to import
> the
> certificates to the native NSS database and control the trust more
> precisely.
>
> Kamil
>
>
>

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-11-01