cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Connecting using client certificates

From: plot.lost <plot.lost_at_gmail.com>
Date: Mon, 21 Mar 2011 20:56:06 +0400

On 21/03/2011 20:20, Ben Noordhuis wrote:
> On Mon, Mar 21, 2011 at 17:07, plot.lost<plot.lost_at_gmail.com> wrote:
>> I am trying to connect to a systems (https) that requires client
>> certificates, using the curl_easy interface.
>>
>> I think I've set the required options (CURLOPT_SSLCERT and CURLOPT_SSLKEY)
>> but the connection gets rejected.
>>
>> According to the system I am connecting to, it's because the client
>> certificate "does not have the chaining setup. The Root and CA should be
>> trusted"
>>
>> Now, I thought that the server held these and uses them to verify the client
>> certificate. If that is not the case, does anyone have any clues as to what
>> I need to do? I've tried adding the CA and Root certificates into the same
>> file that holds the client certificate, that made no difference. Is there an
>> additional curl_easy_setopt that needs to be done to add this "chaining
>> setup"?
>>
>> I can confirm that the client certificate has been signed by the correct CA,
>> but for some reason the system rejects the connection and this is the reason
>> they give.
> You can point libcurl to the CA or CAs with CURLOPT_CAINFO and
> CURLOPT_CAPATH. The first option takes a filename, the second one the
> name of a directory containing certificates (e.g. "/etc/ssl/certs/").
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
I thought the CURLOPT_CAINFO / CAPATH was used for specifying
certificates that are used by curl to verify the server certificate, not
anything that are used as part of the client certificate processing.

I've tried building a pkcs12 file that contains the client certificate
and the relevant CA/Root certificates, and then converted that back into
a single PEM file. That gets a PEM file that is different to the usual
method of just sticking the certificates together - there are additional
elements before each certificate (Bag Attributes, subject and issuer)
but that is also rejected by the server.

It's always the same error that comes back - error:14094438:SSL
routines:SSL3_READ_BYTES:tlsv1 alert internal error

All they will tell me is that the client certificate is not setup with
chaining, just keep repeating that as if somehow saying the same thing
over and over again will actually help... Nothing that actually gives
any pointers as to how the client certificate should actually be formatted.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-03-21