curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: HTTPS Client Auth using Smartcard certificate

From: IMarvinTPA via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 9 May 2022 08:32:54 -0400

On 5/9/22 07:52, IMarvinTPA via curl-users wrote:
> On 5/7/22 15:16, Ray Satiro via curl-users wrote:
>> On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
>>> I am attempting to use git on Windows to connect to a gitlab instance
>>> that is protected by HTTPS Client authentication.  The certificate I
>>> have that would work resides on a smartcard, and I cannot extract the
>>> private key.
>>>
>>> Is it possible to configure git/curl to use my smartcard client
>>> certificate?
>>>
>>> I am getting errors that resemble the following:
>>> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
>>> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
>>> (0x80090327) - An unknown error occurred while processing the
>>> certificate."
>>> (This one happened after windows prompted me for my PIN for a
>>> certificate.)
>>
>>
>> Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
>> caused by the client or server. The few times I've heard of it happening
>> with libcurl it was because the server fatally rejected the client
>> certificate during the handshake. However it could also be SChannel
>> having a trust issue with a server certificate or missing a certificate.
>>
>>
>>>
>>> and
>>> "curl: (35) schannel: next InitializeSecurityContext failed:
>>> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
>>> fatal SSL/TLS alert is received (e.g. handshake failed).  More detail
>>> may be available in the Windows System event log."
>>> (This was an attempt to use curl directly.  I did not get a pin prompt.)
>>>
>>> Am I doing something wrong or is this a use-case that isn't fully
>>> implemented yet?
>>
>>
>> SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
>> usually does not give detail into what the actual TLS message was that
>> caused it, though it could be in the Windows event log. In your case I
>> think it's likely a handshake failure.
>>
>> For both errors, aside from checking the event log there's no way to get
>> more detail unless you use a packet analyzer like Wireshark [1].
>>
>> Note curl versions prior to 7.77.0 with SChannel supplied a client
>> certificate to the server automatically, but since then you must specify
>> the client certificate to use. How this is done in Git for Windows I
>> don't know, you'd have to check their documentation. For the curl tool
>> you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
>> curl 7.77.0+ then try running your curl command with
>> --ssl-auto-client-cert and see if you get the same cert unknown error.
>>
>
> Hi,
> Using --ssl-auto-client-cert in curl gets me the same error and behavior
> that git gave me.  (Pin prompt and SEC_E_CERT_UNKNOWN (0x80090327))
>
> I found an old thread from 2016, curl.se/mail/archive-2016-09/0014.html
> where someone on Linux got it working with --cert.  However, I don't
> know how to get the right name for the certificate I want to use in
> Windows.  I have about 8 certificates on smartcards and only one of them
> will work, so if auto is picking the wrong one, that could be my error.
>
> If I use --cert, I get "schannel: Failed to get certificate location or
> file for [whatever I try]"  If I'm lucky, I just need to know the
> command to give me a list of potential choices for this step.
>
> It would be nice if -v --ssl-auto-client-cert would at least tell me
> which certificate it picked.
>
>

Solution:
curl --cert "CurrentUser\MY\[thumbprint of desired cert]"

For Git, -c sslCert="CurrentUser\MY\[thumbprint of desired cert]"

Though git will report trouble with the connection a few times, but it
ultimately works out. ("The request was aborted: Could not create
SSL/TLS secure channel." twice, then it works anyway.)

-- 
Thanks,
Andy Bay
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-05-09