cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl_easy_perform() fails with "Problem with the SSL CA cert (path? access rights?)" after first time calling this routine

From: Oscar Koeroo <okoeroo_at_nikhef.nl>
Date: Sat, 16 Mar 2013 13:50:38 +0100

On 16-03-13 12:33, cnm marketing wrote:
> Thanks for the suggestion Oscar!
>
> We are still doing research on the link
> http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777
> providered by Daniel, because it invokes other groups' work, it will
> take a while.

Head down to the error message on that list. It mentions something that
relates directly to Yang's comment about the keysize constraints. FIPS
compliance of the far-side or your client (probably the far-side) is
causing this error to be seen at your end.

> In the meantime, we'd like to know in libcurl:
> 1. How do you invoke openssl in the case of CURLOPT_SSL_VERIFYPEER 0 and
> 1. Do you suppose to skip CA verification if CURLOPT_SSL_VERIFYPEER is
> 0, if it does, the how come you still have
> "/error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
> small/". Or this error has nothing to do with CURLOPT_SSL_VERIFYPEER ?!

As I mentioned before I believe it's safe to rule out as you clearly
stated you didn't see a difference in the output, but this is just
simple logic.

The motivation is that the VERIFYPEER related routines become active
after the first TLS Server Hello message and if I'm not mistaken after
the SSL/TLS key exchange has been completed. Thus making it obvious that
th VERIFYPEER has no effect on a Diffie-Hellman key routine.

> I am a bit confused by Yang's comment on checking the openssl key.

What part of his comment did you not understand? It looked like a
spot-on way of analytically being able to examine your problem. My
previous hints were in the same direction actually.

I suspect the far-side of having a FIPS compliant SSL library in use. Is
this a Red Hat (derived) system perhaps? Or a special build of some SSL
library?

Can you tell us what and how you are working with the DH-key's or
certificates?

Mind you: This is pure an SSL problem that we're debugging here, not a
libcurl issue.

> 2. libcurl does not have any option to reset the key size, correct?

The answer is simply: no.

It depends on how you are exactly using the SSL layer though, but the
key size is a property of the key you have in a file or generated key.
Libcurl and even the SSL layer will not change it.

Debugging tip: See Yang's email to evaluate your client side key size to
make sure it is compliant with your far-side's constraints. Of which
these constraints are likely to be due to the FIPS-compliant constraints
of the SSL stack there.

> 3. Since we have other layers that invokes openssl or/and bsafe, in our
> software we are not the one first get loaded into the memory, so the
> openssl from libcurl will use the openssl loaded by other layer. The
> reason that we think this may have something to do with the mixed
> openssl is - we create a small program that use the exact libcurl
> routine, this program works perfectly fine. It fails with the error
> "/error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
> small/" when we integrate this piece of code to our software layer. Any
> thought on this.

You've successfully stated here to have a nicely working libcurl +
openssl small (test) program. Therefore I conclude there is nothing
wrong with that OpenSSL and libcurl at all. Unless I'm missing something
(this is purely based on your message) your program might be using a
different OpenSSL library internally then when you tested with libcurl
separately.

To debug this try to display and show which (SSL) libraries are loaded
at runtime. On Linux try 'ldd' on OSX try 'otool' and on Windows I have
no idea how to display the dll effectively library loading, but I'm sure
there is a nice way of doing this.

Mind you, the library loading thing is not a libcurl issue at all. :-)

Here is another analytical option for you to try: use the commandline
tool "openssl s_client" to establish an SSL connection without sending
any data to your service. There is a lot of data available to start
debugging, like with the flags -debug and -msg.

Example: openssl s_client -connect www.nikhef.nl:443 -msg -debug

I suspect that Yang's proposed checks are more effective as I think you
will see the problem pop-up here too.

        Oscar

ps: no need to quote yourself if you're not referring to a previous
message directly. I can read all your previous messages from the archive
and my email client. :-)

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2013-03-16