Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Curl failed to authenticate CA server certificate

From: Deepak SP <spdeepak_at_gmail.com>
Date: Fri, 18 Jan 2019 14:58:49 +0530

I was trying out few test for certificate enrollment procedure using curl
tool, as described in the testrfc7030.com. The cacert downlod procedure
works with testrfc7030.com hosted CA server.

But I find problems when I host the CA server locally using the libest
server example program.
$ curl https://localhost:8085/.well-known/est/cacerts -o cacerts.p7
--cacert ./cacert.crt -v
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
 0* Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 8085 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8085 (#0)
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ./cacert.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [94 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [777 bytes data]
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
} [2 bytes data]
* error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
 0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (35) error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

cacert down load procedure was working earlier with locally hosted CA
server but it started failing when I added OCSP URI into the CA server
certificate. Above problem exists though I reverted my changes on CA server
certificate. One more note the libest client example program successfully
downloads the cacert and also authentication succeeds with the same CA
server certificates where curl tool is throwing error.

I am using the curl version as 7.63.0 and openssl version 1.0.1u. Also note
that the curl and libest are using the same version of openssl-1.0.1u.

It will be very helpful if you can give some guidance why the curl is
failing here.

Thanks & Regards,
Deepak

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-18