curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl-users Digest, Vol 161, Issue 11

From: Deepak SP <spdeepak_at_gmail.com>
Date: Sat, 19 Jan 2019 11:33:04 +0530

I understand it is openssl throwing error for certificate; As I mentioned,
I did same tests using libest client example program which is not throwing
any error.
And libest and curl are built using the same version of openssl; Thanks
for you immediate response.

Regards,
Deepak

On Fri, 18 Jan 2019 at 16:34, <curl-users-request_at_cool.haxx.se> wrote:

> Send curl-users mailing list submissions to
> curl-users_at_cool.haxx.se
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
> or, via email, send a message with subject or body 'help' to
> curl-users-request_at_cool.haxx.se
>
> You can reach the person managing the list at
> curl-users-owner_at_cool.haxx.se
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of curl-users digest..."
>
>
> Today's Topics:
>
> 1. Curl failed to authenticate CA server certificate (Deepak SP)
> 2. Re: Curl failed to authenticate CA server certificate
> (Daniel Stenberg)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 18 Jan 2019 14:58:49 +0530
> From: Deepak SP <spdeepak_at_gmail.com>
> To: curl-users_at_cool.haxx.se
> Subject: Curl failed to authenticate CA server certificate
> Message-ID:
> <CAAQ3FiPr76W=OvNkGRQ250=
> 9W418wpwwz-boyerBkOGCa6sbTw_at_mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I was trying out few test for certificate enrollment procedure using curl
> tool, as described in the testrfc7030.com. The cacert downlod procedure
> works with testrfc7030.com hosted CA server.
>
> But I find problems when I host the CA server locally using the libest
> server example program.
> $ curl https://localhost:8085/.well-known/est/cacerts -o cacerts.p7
> --cacert ./cacert.crt -v
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* Trying ::1...
> * TCP_NODELAY set
> * connect to ::1 port 8085 failed: Connection refused
> * Trying 127.0.0.1...
> * TCP_NODELAY set
> * Connected to localhost (127.0.0.1) port 8085 (#0)
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: ./cacert.crt
> CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> { [94 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [777 bytes data]
> * TLSv1.2 (OUT), TLS alert, decrypt error (563):
> } [2 bytes data]
> * error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, close notify (256):
> } [2 bytes data]
> curl: (35) error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
>
>
> cacert down load procedure was working earlier with locally hosted CA
> server but it started failing when I added OCSP URI into the CA server
> certificate. Above problem exists though I reverted my changes on CA server
> certificate. One more note the libest client example program successfully
> downloads the cacert and also authentication succeeds with the same CA
> server certificates where curl tool is throwing error.
>
> I am using the curl version as 7.63.0 and openssl version 1.0.1u. Also note
> that the curl and libest are using the same version of openssl-1.0.1u.
>
> It will be very helpful if you can give some guidance why the curl is
> failing here.
>
> Thanks & Regards,
> Deepak
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cool.haxx.se/pipermail/curl-users/attachments/20190118/b626bddc/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Jan 2019 10:50:45 +0100 (CET)
> From: Daniel Stenberg <daniel_at_haxx.se>
> To: the curl tool <curl-users_at_cool.haxx.se>
> Subject: Re: Curl failed to authenticate CA server certificate
> Message-ID: <alpine.DEB.2.20.1901181045310.12813_at_tvnag.unkk.fr>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Fri, 18 Jan 2019, Deepak SP wrote:
>
> > curl: (35) error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
>
> This very cryptic message means that OpenSSL somehow barfed on the
> certificate
> and return an error to curl. It is unfortunately all the info we have on
> the
> error.
>
> I would *suspect* that your certificate is using an outdated algorithm
> somewhere or something but I really can't tell for sure.
>
> If you get a ca cert bundle from https://curl.haxx.se/docs/caextract.html
> and
> use that when contacting a regular public HTTPS site, does that work? It
> really should.
>
> > It will be very helpful if you can give some guidance why the curl is
> > failing here.
>
> To further debug this, I would suggest switching to trying the openssl
> command
> line tool so that you rule out curl's involvement and work directly with
> OpenSSL and if the problems remain, you take them to the openssl team.
>
> I'm sorry to have to redirect you somewhere else and I don't mean to
> "shift
> blame", but they are without doubt the better people to answer questions
> about
> what's going on here and why.
>
> --
>
> / daniel.haxx.se
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> curl-users mailing list
> curl-users_at_cool.haxx.se
> https://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
>
>
> ------------------------------
>
> End of curl-users Digest, Vol 161, Issue 11
> *******************************************
>

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-19