cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl_easy_perform() fails with "Problem with the SSL CA cert (path? access rights?)" after first time calling this routine

From: cnm marketing <cnn.marketing_at_gmail.com>
Date: Fri, 15 Mar 2013 16:26:09 -0400

>*error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small *
>libcurl does not fool around with certificate contents nor keys.
[cnm] libcurl uses openssl, that error message comes from openssl.
>The problem is in the certificate you are using which does not have a long
enough Diffie-Hellman key.
[cnm] I don't understand what you are refering to, please give a bit more
details. When we use libcurl, we don't set Diffie-Hellman key. We are
getting the same Diffie-Hellman error message for both CURLOPT_SSL_VERIFYPEER
to 1 and CURLOPT_SSL_VERIFYPEER to 0. Please refer to my previous email
thread!!

On Fri, Mar 15, 2013 at 2:59 PM, cnm marketing <cnn.marketing_at_gmail.com>wrote:

> >error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small
> 1. When libcurl uses Diffie-Hellman, does libcurl hardcode the
> Diffie-Hellman key and the length?
> 2. Does libcurl have an option that allow libcurl user to re-set the
> Diffie-Hellman key length?
> We are still wondering (90% convinced) whether the error message has
> something to do with the openssl that is getting loaded from another layer.
> When the openssl is being loaded by another layer, libcurl is trying to use
> that openssl context and find the key size (set by libcurl) is too small
> compare to the key set by another layer.
>
>
>
>
> On Fri, Mar 15, 2013 at 2:00 PM, cnm marketing <cnn.marketing_at_gmail.com>wrote:
>
>> >What SSL implementation is your libcurl using? How is the SSL stack
>> build and how did you build libcurl?
>> [cnm]
>> 1. I am not sure if I understand your first question, we use libcurl, if
>> libcurl uses ssl, then we use whatever is on the system, in our case, we
>> use openssl.
>> 2. We use dlopen()/dlsym()/dlclose() to load libcurl library. This is the
>> ONLY way that we can fit libcurl into our software layers. There are at
>> least 3 different layers in our layer that uses openssl, we are not the
>> first one to be loaded.
>>
>> On Fri, Mar 15, 2013 at 12:59 PM, cnm marketing <cnn.marketing_at_gmail.com
>> > wrote:
>>
>>> >libcurl is able to use 9 different SSL implementation as its SSL
>>> library for SSL connections. And yes, OpenSSL is one of them.
>>> [cnm] Does libcurl statically link ssl or dynamically load those ssl?
>>>
>>> >I've never seen the error message
>>> *> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>> small
>>> *
>>> [cnm] If you believe this error message is NOT from libcurl itself, then
>>> I believe this error message is from the openssl routines that the libcurl
>>> invokes. The question is why openssl throw this error, and in what
>>> situation (from libcurl code) this error will be throwed from libcurl?
>>> >What SSL implementation is your libcurl using? How is the SSL stack
>>> build and how did you build libcurl?
>>> [cnm]
>>> 1. I am not sure if I understand your first question, we use libcurl, if
>>> libcurl uses ssl, then we use whatever is on the system, in our case, we
>>> use openssl.
>>> 2. We use dlopen()/dlsym()/dlclose() to load libcurl library. This is
>>> the ONLY way that we can fit libcurl into our software layers. I need to
>>> check with other groups and see how many they use ssl in their layers. I'll
>>> get back to you on this.
>>>
>>>
>>> On Fri, Mar 15, 2013 at 10:44 AM, cnm marketing <cnn.marketing_at_gmail.com
>>> > wrote:
>>>
>>>> How that can be? Does libcurl also use openssl?
>>>>
>>>> From my code, I only invoke libcurl routines. Again the following
>>>> output are the libcurl output by using CURLOPT_VERBOSE and CURLOPT_STDERR.
>>>> When setting CURLOPT_SSL_VERIFYHOST to 1, we got the debug1.txt
>>>> output, when setting CURLOPT_SSL_VERIFYHOST to 0, we get the debug.txt
>>>> output
>>>>
>>>>
>>>> [root_at_l2se0132 bin]# more /debug1.txt
>>>>
>>>> * About to connect() to l2se0060.lss.emc.com port 8443 (#0)
>>>>
>>>> * Trying 10.247.73.60...
>>>>
>>>> * Connected to l2se0060.lss.emc.com (10.247.73.60) port 8443 (#0)
>>>>
>>>> * successfully set certificate verify locations:
>>>>
>>>> * CAfile: /usr/yhuang/cert.pem
>>>>
>>>> CApath: none
>>>>
>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small
>>>>
>>>> * Closing connection 0
>>>>
>>>>
>>>>
>>>> [root_at_l2se0132 bin]# more /debug.txt
>>>>
>>>> * About to connect() to l2se0060.lss.emc.com port 8443 (#0)
>>>>
>>>> * Trying 10.247.73.60...
>>>>
>>>> * Connected to l2se0060.lss.emc.com (10.247.73.60) port 8443 (#0)
>>>>
>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small
>>>>
>>>> * Closing connection 0
>>>>
>>>>
>>>>
>>>> On Fri, Mar 15, 2013 at 3:45 AM, Daniel Stenberg <daniel_at_haxx.se>wrote:
>>>>
>>>>> On Thu, 14 Mar 2013, cnm marketing wrote:
>>>>>
>>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>>>>> small
>>>>>>
>>>>>
>>>>> Please stop top-posting and full-quoting.
>>>>>
>>>>> My 3.2 seconds of googling on this topic lead to this:
>>>>>
>>>>> http://comments.gmane.org/**gmane.comp.encryption.openssl.**
>>>>> user/43777<http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777>
>>>>>
>>>>> --
>>>>>
>>>>> / daniel.haxx.se
>>>>>
>>>>
>>>>
>>>
>>
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-15