Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: HTTPS Client Auth using Smartcard certificate
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: IMarvinTPA via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 9 May 2022 07:52:51 -0400
On 5/7/22 15:16, Ray Satiro via curl-users wrote:
> On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
>> I am attempting to use git on Windows to connect to a gitlab instance
>> that is protected by HTTPS Client authentication. The certificate I
>> have that would work resides on a smartcard, and I cannot extract the
>> private key.
>>
>> Is it possible to configure git/curl to use my smartcard client
>> certificate?
>>
>> I am getting errors that resemble the following:
>> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
>> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
>> (0x80090327) - An unknown error occurred while processing the
>> certificate."
>> (This one happened after windows prompted me for my PIN for a
>> certificate.)
>
>
> Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
> caused by the client or server. The few times I've heard of it happening
> with libcurl it was because the server fatally rejected the client
> certificate during the handshake. However it could also be SChannel
> having a trust issue with a server certificate or missing a certificate.
>
>
>>
>> and
>> "curl: (35) schannel: next InitializeSecurityContext failed:
>> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
>> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
>> may be available in the Windows System event log."
>> (This was an attempt to use curl directly. I did not get a pin prompt.)
>>
>> Am I doing something wrong or is this a use-case that isn't fully
>> implemented yet?
>
>
> SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
> usually does not give detail into what the actual TLS message was that
> caused it, though it could be in the Windows event log. In your case I
> think it's likely a handshake failure.
>
> For both errors, aside from checking the event log there's no way to get
> more detail unless you use a packet analyzer like Wireshark [1].
>
> Note curl versions prior to 7.77.0 with SChannel supplied a client
> certificate to the server automatically, but since then you must specify
> the client certificate to use. How this is done in Git for Windows I
> don't know, you'd have to check their documentation. For the curl tool
> you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
> curl 7.77.0+ then try running your curl command with
> --ssl-auto-client-cert and see if you get the same cert unknown error.
>
Hi,
Using --ssl-auto-client-cert in curl gets me the same error and behavior
that git gave me. (Pin prompt and SEC_E_CERT_UNKNOWN (0x80090327))
I found an old thread from 2016, curl.se/mail/archive-2016-09/0014.html
where someone on Linux got it working with --cert. However, I don't
know how to get the right name for the certificate I want to use in
Windows. I have about 8 certificates on smartcards and only one of them
will work, so if auto is picking the wrong one, that could be my error.
If I use --cert, I get "schannel: Failed to get certificate location or
file for [whatever I try]" If I'm lucky, I just need to know the
command to give me a list of potential choices for this step.
It would be nice if -v --ssl-auto-client-cert would at least tell me
which certificate it picked.
Date: Mon, 9 May 2022 07:52:51 -0400
On 5/7/22 15:16, Ray Satiro via curl-users wrote:
> On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
>> I am attempting to use git on Windows to connect to a gitlab instance
>> that is protected by HTTPS Client authentication. The certificate I
>> have that would work resides on a smartcard, and I cannot extract the
>> private key.
>>
>> Is it possible to configure git/curl to use my smartcard client
>> certificate?
>>
>> I am getting errors that resemble the following:
>> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
>> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
>> (0x80090327) - An unknown error occurred while processing the
>> certificate."
>> (This one happened after windows prompted me for my PIN for a
>> certificate.)
>
>
> Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
> caused by the client or server. The few times I've heard of it happening
> with libcurl it was because the server fatally rejected the client
> certificate during the handshake. However it could also be SChannel
> having a trust issue with a server certificate or missing a certificate.
>
>
>>
>> and
>> "curl: (35) schannel: next InitializeSecurityContext failed:
>> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
>> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
>> may be available in the Windows System event log."
>> (This was an attempt to use curl directly. I did not get a pin prompt.)
>>
>> Am I doing something wrong or is this a use-case that isn't fully
>> implemented yet?
>
>
> SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
> usually does not give detail into what the actual TLS message was that
> caused it, though it could be in the Windows event log. In your case I
> think it's likely a handshake failure.
>
> For both errors, aside from checking the event log there's no way to get
> more detail unless you use a packet analyzer like Wireshark [1].
>
> Note curl versions prior to 7.77.0 with SChannel supplied a client
> certificate to the server automatically, but since then you must specify
> the client certificate to use. How this is done in Git for Windows I
> don't know, you'd have to check their documentation. For the curl tool
> you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
> curl 7.77.0+ then try running your curl command with
> --ssl-auto-client-cert and see if you get the same cert unknown error.
>
Hi,
Using --ssl-auto-client-cert in curl gets me the same error and behavior
that git gave me. (Pin prompt and SEC_E_CERT_UNKNOWN (0x80090327))
I found an old thread from 2016, curl.se/mail/archive-2016-09/0014.html
where someone on Linux got it working with --cert. However, I don't
know how to get the right name for the certificate I want to use in
Windows. I have about 8 certificates on smartcards and only one of them
will work, so if auto is picking the wrong one, that could be my error.
If I use --cert, I get "schannel: Failed to get certificate location or
file for [whatever I try]" If I'm lucky, I just need to know the
command to give me a list of potential choices for this step.
It would be nice if -v --ssl-auto-client-cert would at least tell me
which certificate it picked.
-- Thanks, Andy Bay -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-05-09