Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Unable to parse ECDSA and ed25519 keys
From: Santino KEUPP via curl-users <curl-users_at_cool.haxx.se>
Date: Fri, 6 Dec 2019 09:47:38 +0000
Date: Fri, 6 Dec 2019 09:47:38 +0000
Hi all,
we updated libcurl from version 7.55.0 to 7.65.1 (and libssh2 from 1.7.0 to
1.8.1) on an embedded Linux device where we use sftp.
To authenticate the server, we set the option CURLOPT_SSH_KNOWNHOSTS. In the
past, everything worked fine, but now we get the curl error msg 60.
We can also reproduce this behavior on a host PC by just using the curl command line tool on localhost:
--- $ curl "sftp://localhost:22/" -v -u "user:pw" * Trying ::1:22... * TCP_NODELAY set * Connected to localhost (::1) port 22 (#0) * SSH MD5 fingerprint: 7578d40cd7adf746bb1bccf87ef456e0 * SSH host check: 2, key: <none> * Closing connection 0 curl: (60) SSL peer certificate or SSH remote key was not OK More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. --- It looks like curl (or libssh2) is unable to parse the ECDSA and ed25519 keys provided by the server. If we remove those public keys from /etc/ssh/ on the server to force the usage of RSA keys, it works (then we also had to replace the public keys in ~/.ssh/known_hosts). The keys are fine, since they work with the command line tools 'ssh' and 'sftp'. Is this a bug or do we miss something? System: --- $ uname -a Linux localhost 5.3.13-gentoo #1 SMP PREEMPT Fri Nov 29 09:35:02 CET 2019 x86_64 Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz GenuineIntel GNU/Linux $ curl --version curl 7.66.0 (x86_64-pc-linux-gnu) libcurl/7.66.0 OpenSSL/1.1.1d zlib/1.2.11 libssh2/1.9.0_DEV Release-Date: 2019-09-11 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: HTTPS-proxy IPv6 Largefile libz NTLM SSL TLS-SRP UnixSockets --- Kind regards, Santino Keupp ______________________________________________________________________________________________________ Vertraulichkeit Die uebermittelten Informationen sind ausschliesslich fuer den oben genannten Adressaten bestimmt. Jede Verwendung, Veroeffentlichung, Vervielfaeltigung ist untersagt. Falls diese Mitteilung bei Ihnen irrtuemlich eingegangen ist, geben Sie uns bitte sofort Bescheid. Confidentiality The information contained in these documents is intended for the exclusive use of the addressee designated above. Each disclosure, reproduction, distribution is strictly prohibited. If you have received this transmission in error please contact us immediately. Diehl Metering GmbH Donaustrasse 120 90451 Nuernberg Sitz der Gesellschaft: Ansbach, Registergericht: Ansbach HRB 69 Geschäftsführer: Dr. Christof Bosbach (Sprecher), Thomas Gastner, Jean-François Marguet Informationen zum Datenschutz finden Sie auf unserer Homepage. https://www.diehl.com/metering/de/diehl-metering/data-protection Information about data protection can be found on our homepage. https://www.diehl.com/metering/en/diehl-metering/data-protection
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-12-06