curl TLS mutual authentication with pkcs11 error
Date: Thu, 17 Oct 2019 14:00:15 +0300
I'm trying to do TLS mutual authentication where client key resides in HSM.
I have created private PKI with root certificate, intermediate certificate,
server certificate and client certificate. I have tested with openssl's
s_server and s_client cli tools and it works.
openssl s_server -key /path/to/serverkey.pem -cert /path/to/servercert.pem
-accept 8443 -www -Verify 5 -CAfile /path/to/CAcert.pem
openssl s_client -engine pkcs11 -verify 5 -CAfile /path/to/CAcert.pem
-keyform engine -key "pkcs11:model=...;type=private" -cert
/path/to/clientcert.pem -connect localhost:8443
Both return `verify return:1` with certificate details of respective peer.
Now I'm trying to achieve the same in curl. I use the command below while
openssl s_server still running.
curl -vvv --engine pkcs11 --cacert /path/to/CAcert.pem --key-type ENG --key
"pkcs11:model=...;type=private" --cert-type PEM --cert
However, this isn't working. Output.
Connected to localhost (127.0.0.1) port 8443 (#0)
ALPN, offering http/1.1
Enter PKCS#11 token PIN for <token_name>: **I enter my PIN**
successfully set certificate verify locations:
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (3):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Request CERT (13):
TLSv1.3 (IN), TLS handshake, Certificate (11):
Segmentation fault (core dumped)
shutting down SSL
I guess when s_server asks for client certificate from its peer curl can't
access PKCS#11 interface. Curl uses the same openssl installation as
s_server/s_client. Does anyone have any suggestions?