cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: cURL error 56 with SSL error -12195

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Tue, 14 Apr 2015 23:12:10 +0200

On Tue, Apr 14, 2015 at 08:36:11PM +0000, Alexandre Arantes wrote:
> I have an internal server (internal to my network) to which I make a REST API
> call from an external server.
> I don't know if it helps but the external server is running php 5.3.6 with cURL
> 7.19.7.
> To make it safer (other than a Firewall box that limits the external IP
> addresses that can call myinternal server to only the static IP address of my
> external server), I generated a self-signed SSL Server Certificate for my
> internal server.
> I also generated a Client Certificate to be used by my external server when
> making the calls.
> The calls are being made using the cURL library of PHP. The page that makes the
> calls looks like this:
[snip]
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> = = = = = = = = = = = = = = = = = = = = = = = =
>
> <?php
>
> $mycurl = curl_init();
> $verbose = fopen('curl_error_log','a');
> $url_site = 'https://internal.server.com/api_test.php';
>
> $options = array(
> CURLOPT_HEADER => false
> ,CURLOPT_RETURNTRANSFER => true
> ,CURLOPT_VERBOSE => true
> ,CURLOPT_STDERR => $verbose
> ,CURLOPT_HTTPHEADER => array('Accept: application/json')
> ,CURLOPT_CAINFO => realpath('/certs/server/certs.pem')
> ,CURLOPT_CAPATH => realpath('/certs/server')
> ,CURLOPT_SSL_VERIFYPEER => true
> ,CURLOPT_SSL_VERIFYHOST => 2
> ,CURLOPT_SSLCERT => realpath('/certs/client.crt.pem')
> ,CURLOPT_SSLKEY => realpath('/certs/client.key.pem')
> ,CURLOPT_SSLCERTTYPE => 'PEM'
> ,CURLOPT_URL => $url_site
> );
[snip]
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> = = = = = = = = = = = = = = = = = = = = = = = =
> And the verbose file (curl_error_log) has this:
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> = = = = = = = = = = = = = = = = = = = = = = = =
>
> * About to connect() to internal.server.com port 443 (#0)
> * Trying 111.222.333.444... * connected
> * Connected to internal.server.com (111.222.333.444) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /certs/server/certs.pem
> CApath: /certs/server
> * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> * Server certificate:
> * subject: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> * start date: Apr 13 15:15:38 2015 GMT
> * expire date: Apr 12 15:15:38 2016 GMT
> * common name: internal.server.com
> * issuer: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> > GET /api_test.php HTTP/1.1
> Host: internal.server.com
> Accept: application/json
>
> * NSS: client certificate from file
> * subject: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> * start date: Apr 13 15:26:48 2015 GMT
> * expire date: Apr 12 15:26:48 2016 GMT
> * common name: internal.server.com
> * issuer: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> * SSL read: errno -12195
> * Closing connection #0

You're using a libcurl compiled to use the NSS SSL library. That handles
client certificates differently from other libraries. The CURLOPT_SSLCERT(3)
man page describes the difference:

    With NSS or Secure Transport, this can also be the nickname
    of the certificate you wish to authenticate with as it is named in
    the security database. If you want to use a file from the current
    directory, please precede it with "./" prefix, in order to avoid
    confusion with a nickname.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-14