Hi,

Communication from client to server using libcurl handle (easy interface)
is failing if the server is rebooted.

The program (code pasted below) creates a curl handle, initializes options
like (url, certificates, timeouts, request etc,) . Then after in an
infinite loop for every 2 seconds sends request to server using curl handle.

Observations are as below:

   1. After the program has started, client to server communication is
   established properly and messages are exchanged without any error.
   2. Later i powered of the server machine. When server is powered off,
   curl_easy_perform failed with error code=28, "Timeout was reached
   (connect() timed out!)".
   3. Then i powered on the machine, while the machine is booting, observed
   curl_easy_perform failure with error code=7, "Couldn't connect to
   server(couldn't connect to host)".
   4. Once curl handle was able to connect to server port, observed
   ssl_read error, curl error code=56, "Failure when receiving data from the
   peer (SSL read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
   certificate, errno 0)"
   5. Further onwards curl_easy_perform fails with error code=58, "Problem
   with the local SSL certificate (unable to use client certificate (no key
   found or wrong pass phrase?))" and never recovers after that.
   6. If i stop the program and restart, the connection is established
   successfully. There is no change in certificates.

I am not able to find why curl_easy_perform fails with ssl_read error and
why further onwards says error code =58 (unable to use client certificate).

since communication works with same certificates initially and also after
restarting the process, i think there is no issue with certificates.

I tried openssl commands to verify certificates are correct.

Linux# openssl x509 -noout -modulus -in /opt/certstore/VcCombined.pem |
openssl md5 fe18e9f364d18eba9f39690563aca836

Linux# openssl rsa -noout -modulus -in /opt/certstore/default.key | openssl
md5 fe18e9f364d18eba9f39690563aca836

Linux# openssl verify -CAfile /opt/certstore/sslca/CACertificate.pem
/opt/certstore/VcCombined.pem /opt/certstore/VcCombined.pem: OK

I am not sure how to debug this issue further. If its an issue with openssl
or curl or my program.

-Kowsik

*Client side:*

curl --version

curl 7.25.0 (i686-pc-linux-gnu) libcurl/7.25.0 OpenSSL/0.9.8f
zlib/1.2.1.2libidn/0.5.6 Protocols: dict file gopher http https imap
imaps pop3 pop3s
rtsp smtp smtps telnet Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

*Server side:*

curl --version

curl 7.25.0 (i686-pc-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.0e
zlib/1.2.1.2libidn/0.5.6 Protocols: dict file gopher http https imap
imaps pop3 pop3s
rtsp smtp smtps telnet Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

*Program:*

using namespace std;

static std::string buffer;

static int writer(char *data, size_t size, size_t nmemb, std::string *buffer)
{
    int result = 0;

    if (buffer != NULL)
    {
        buffer->append(data, size * nmemb);
        result = size * nmemb;
    }

    return result;
}

int main(void)
{
    CURL *curl;
    CURLcode res;
    char request[4096];
    char curl_errbuf[CURL_ERROR_SIZE];
    int bytes_read = 0;

    FILE *lFile = fopen("/tmp/getguid.xml", "r");
    if (lFile == NULL)
    {
        printf("fopen Error: %s\n", strerror(res));
        return 1;
    }

    memset(request, 0, 4096);
    bytes_read = fread(request, sizeof(request), 1, lFile);
    fclose(lFile);

    curl = curl_easy_init();

    struct curl_slist* lcurlHeaders = NULL;
    lcurlHeaders = curl_slist_append(lcurlHeaders, "Content-Type: text/xml");
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, lcurlHeaders);
    curl_easy_setopt(curl, CURLOPT_URL,
"https://10.65.124.221:443/xmlInternal/service-reg/forward");
    curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10);
    char *lUCSInterfaceName = "eth0";
    curl_easy_setopt(curl, CURLOPT_INTERFACE, lUCSInterfaceName);
    curl_easy_setopt(curl, CURLOPT_SSLCERT, "/opt/certstore/VcCombined.pem");
    curl_easy_setopt(curl, CURLOPT_SSLKEY, "/opt/certstore/default.key");
    curl_easy_setopt(curl, CURLOPT_CAINFO,
"/opt/certstore/sslca/CACertificate.pem");
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
    curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1L);
    curl_easy_setopt(curl, CURLOPT_POST, 1);
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)request);
    curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, strlen(request));
    curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curl_errbuf);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writer);
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &buffer);

    while(1)
    {
        memset(curl_errbuf, 0, CURL_ERROR_SIZE);
        res = curl_easy_perform(curl);

        if(CURLE_OK != res)
            printf("curl_easy_perform Error: %s (%s)\n",
curl_easy_strerror(res), curl_errbuf);
        else
            printf("curl_easy_perform succes\n");

        sleep(2);
    }

    curl_slist_free_all(lCurlHeaders);
    curl_easy_cleanup(curl);
    return 0;
}

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-08-23