Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: HTTPS Client Auth using Smartcard certificate
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: IMarvinTPA via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 9 May 2022 08:32:54 -0400
On 5/9/22 07:52, IMarvinTPA via curl-users wrote:
> On 5/7/22 15:16, Ray Satiro via curl-users wrote:
>> On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
>>> I am attempting to use git on Windows to connect to a gitlab instance
>>> that is protected by HTTPS Client authentication. The certificate I
>>> have that would work resides on a smartcard, and I cannot extract the
>>> private key.
>>>
>>> Is it possible to configure git/curl to use my smartcard client
>>> certificate?
>>>
>>> I am getting errors that resemble the following:
>>> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
>>> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
>>> (0x80090327) - An unknown error occurred while processing the
>>> certificate."
>>> (This one happened after windows prompted me for my PIN for a
>>> certificate.)
>>
>>
>> Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
>> caused by the client or server. The few times I've heard of it happening
>> with libcurl it was because the server fatally rejected the client
>> certificate during the handshake. However it could also be SChannel
>> having a trust issue with a server certificate or missing a certificate.
>>
>>
>>>
>>> and
>>> "curl: (35) schannel: next InitializeSecurityContext failed:
>>> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
>>> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
>>> may be available in the Windows System event log."
>>> (This was an attempt to use curl directly. I did not get a pin prompt.)
>>>
>>> Am I doing something wrong or is this a use-case that isn't fully
>>> implemented yet?
>>
>>
>> SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
>> usually does not give detail into what the actual TLS message was that
>> caused it, though it could be in the Windows event log. In your case I
>> think it's likely a handshake failure.
>>
>> For both errors, aside from checking the event log there's no way to get
>> more detail unless you use a packet analyzer like Wireshark [1].
>>
>> Note curl versions prior to 7.77.0 with SChannel supplied a client
>> certificate to the server automatically, but since then you must specify
>> the client certificate to use. How this is done in Git for Windows I
>> don't know, you'd have to check their documentation. For the curl tool
>> you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
>> curl 7.77.0+ then try running your curl command with
>> --ssl-auto-client-cert and see if you get the same cert unknown error.
>>
>
> Hi,
> Using --ssl-auto-client-cert in curl gets me the same error and behavior
> that git gave me. (Pin prompt and SEC_E_CERT_UNKNOWN (0x80090327))
>
> I found an old thread from 2016, curl.se/mail/archive-2016-09/0014.html
> where someone on Linux got it working with --cert. However, I don't
> know how to get the right name for the certificate I want to use in
> Windows. I have about 8 certificates on smartcards and only one of them
> will work, so if auto is picking the wrong one, that could be my error.
>
> If I use --cert, I get "schannel: Failed to get certificate location or
> file for [whatever I try]" If I'm lucky, I just need to know the
> command to give me a list of potential choices for this step.
>
> It would be nice if -v --ssl-auto-client-cert would at least tell me
> which certificate it picked.
>
>
Solution:
curl --cert "CurrentUser\MY\[thumbprint of desired cert]"
For Git, -c sslCert="CurrentUser\MY\[thumbprint of desired cert]"
Though git will report trouble with the connection a few times, but it
ultimately works out. ("The request was aborted: Could not create
SSL/TLS secure channel." twice, then it works anyway.)
Date: Mon, 9 May 2022 08:32:54 -0400
On 5/9/22 07:52, IMarvinTPA via curl-users wrote:
> On 5/7/22 15:16, Ray Satiro via curl-users wrote:
>> On 5/6/2022 11:39 AM, IMarvinTPA via curl-users wrote:
>>> I am attempting to use git on Windows to connect to a gitlab instance
>>> that is protected by HTTPS Client authentication. The certificate I
>>> have that would work resides on a smartcard, and I cannot extract the
>>> private key.
>>>
>>> Is it possible to configure git/curl to use my smartcard client
>>> certificate?
>>>
>>> I am getting errors that resemble the following:
>>> "fatal: unable to access 'https://spork.fusion.navy.mil/...':
>>> schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN
>>> (0x80090327) - An unknown error occurred while processing the
>>> certificate."
>>> (This one happened after windows prompted me for my PIN for a
>>> certificate.)
>>
>>
>> Unfortunately Windows does not specify whether SEC_E_CERT_UNKNOWN is
>> caused by the client or server. The few times I've heard of it happening
>> with libcurl it was because the server fatally rejected the client
>> certificate during the handshake. However it could also be SChannel
>> having a trust issue with a server certificate or missing a certificate.
>>
>>
>>>
>>> and
>>> "curl: (35) schannel: next InitializeSecurityContext failed:
>>> SEC_E_ILLEGAL_MESSAGE (0x80090362) - This error usually occurs when a
>>> fatal SSL/TLS alert is received (e.g. handshake failed). More detail
>>> may be available in the Windows System event log."
>>> (This was an attempt to use curl directly. I did not get a pin prompt.)
>>>
>>> Am I doing something wrong or is this a use-case that isn't fully
>>> implemented yet?
>>
>>
>> SEC_E_ILLEGAL_MESSAGE is as described and caused by the server. Windows
>> usually does not give detail into what the actual TLS message was that
>> caused it, though it could be in the Windows event log. In your case I
>> think it's likely a handshake failure.
>>
>> For both errors, aside from checking the event log there's no way to get
>> more detail unless you use a packet analyzer like Wireshark [1].
>>
>> Note curl versions prior to 7.77.0 with SChannel supplied a client
>> certificate to the server automatically, but since then you must specify
>> the client certificate to use. How this is done in Git for Windows I
>> don't know, you'd have to check their documentation. For the curl tool
>> you'd use --ssl-auto-client-cert [2] or --cert [3]. If you are using
>> curl 7.77.0+ then try running your curl command with
>> --ssl-auto-client-cert and see if you get the same cert unknown error.
>>
>
> Hi,
> Using --ssl-auto-client-cert in curl gets me the same error and behavior
> that git gave me. (Pin prompt and SEC_E_CERT_UNKNOWN (0x80090327))
>
> I found an old thread from 2016, curl.se/mail/archive-2016-09/0014.html
> where someone on Linux got it working with --cert. However, I don't
> know how to get the right name for the certificate I want to use in
> Windows. I have about 8 certificates on smartcards and only one of them
> will work, so if auto is picking the wrong one, that could be my error.
>
> If I use --cert, I get "schannel: Failed to get certificate location or
> file for [whatever I try]" If I'm lucky, I just need to know the
> command to give me a list of potential choices for this step.
>
> It would be nice if -v --ssl-auto-client-cert would at least tell me
> which certificate it picked.
>
>
Solution:
curl --cert "CurrentUser\MY\[thumbprint of desired cert]"
For Git, -c sslCert="CurrentUser\MY\[thumbprint of desired cert]"
Though git will report trouble with the connection a few times, but it
ultimately works out. ("The request was aborted: Could not create
SSL/TLS secure channel." twice, then it works anyway.)
-- Thanks, Andy Bay -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-05-09