Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: HTTPS Client Auth using Smartcard certificate
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 7 May 2022 15:16:00 -0400
On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
> I am attempting to use git on Windows to connect to a gitlab instance
> that is protected by HTTPS Client authentication. The certificate I
> have that would work resides on a smartcard, and I cannot extract the
> private key.
>
> Is it possible to configure git/curl to use my smartcard client
> certificate?
>
> I am getting errors that resemble the following:
> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
> (0x80090327) - An unknown error occurred while processing the
> certificate."
> (This one happened after windows prompted me for my PIN for a
> certificate.)
Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
caused by the client or server. The few times I've heard of it happening
with libcurl it was because the server fatally rejected the client
certificate during the handshake. However it could also be SChannel
having a trust issue with a server certificate or missing a certificate.
>
> and
> "curl: (35) schannel: next InitializeSecurityContext failed:
> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
> may be available in the Windows System event log."
> (This was an attempt to use curl directly. I did not get a pin prompt.)
>
> Am I doing something wrong or is this a use-case that isn't fully
> implemented yet?
SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
usually does not give detail into what the actual TLS message was that
caused it, though it could be in the Windows event log. In your case I
think it's likely a handshake failure.
For both errors, aside from checking the event log there's no way to get
more detail unless you use a packet analyzer like Wireshark [1].
Note curl versions prior to 7.77.0 with SChannel supplied a client
certificate to the server automatically, but since then you must specify
the client certificate to use. How this is done in Git for Windows I
don't know, you'd have to check their documentation. For the curl tool
you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
curl 7.77.0+ then try running your curl command with
--ssl-auto-client-cert and see if you get the same cert unknown error.
[1]: https://www.wireshark.org/
[2]: https://curl.se/docs/manpage.html#--ssl-auto-client-cert
[3]: https://curl.se/docs/manpage.html#-E
Date: Sat, 7 May 2022 15:16:00 -0400
On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
> I am attempting to use git on Windows to connect to a gitlab instance
> that is protected by HTTPS Client authentication. The certificate I
> have that would work resides on a smartcard, and I cannot extract the
> private key.
>
> Is it possible to configure git/curl to use my smartcard client
> certificate?
>
> I am getting errors that resemble the following:
> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
> (0x80090327) - An unknown error occurred while processing the
> certificate."
> (This one happened after windows prompted me for my PIN for a
> certificate.)
Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
caused by the client or server. The few times I've heard of it happening
with libcurl it was because the server fatally rejected the client
certificate during the handshake. However it could also be SChannel
having a trust issue with a server certificate or missing a certificate.
>
> and
> "curl: (35) schannel: next InitializeSecurityContext failed:
> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
> may be available in the Windows System event log."
> (This was an attempt to use curl directly. I did not get a pin prompt.)
>
> Am I doing something wrong or is this a use-case that isn't fully
> implemented yet?
SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
usually does not give detail into what the actual TLS message was that
caused it, though it could be in the Windows event log. In your case I
think it's likely a handshake failure.
For both errors, aside from checking the event log there's no way to get
more detail unless you use a packet analyzer like Wireshark [1].
Note curl versions prior to 7.77.0 with SChannel supplied a client
certificate to the server automatically, but since then you must specify
the client certificate to use. How this is done in Git for Windows I
don't know, you'd have to check their documentation. For the curl tool
you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
curl 7.77.0+ then try running your curl command with
--ssl-auto-client-cert and see if you get the same cert unknown error.
[1]: https://www.wireshark.org/
[2]: https://curl.se/docs/manpage.html#--ssl-auto-client-cert
[3]: https://curl.se/docs/manpage.html#-E
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-05-07