cURL / Mailing Lists / curl-library / Single Mail

curl-library

Client Certificate chains on OSX Secure Transport versions of curl and libcurl

From: John Broadhead <jbroadhead_at_sorensonmedia.com>
Date: Thu, 18 Feb 2016 11:39:01 -0700

Is there a way to make libcurl send intermediate certificates for client auth? I'm using curl 7.43.0 on OSX El Capitan.

On Linux, I can run:
curl -v --cert-type PEM --cert ./full_chain.pem --key-type PEM --key ./john.broadhead.key.pem "https://john.sorensonmedia.com:8443"

In this case, "full_chain.pem" has both the client and intermediate certificates, it will send both in the TLS request. The server will authenticate the client certificate.

But on Mac, I do:
curl -v --cert-type P12 --cert ./john.broadhead.p12:pass "https://john.sorensonmedia.com:8443"

Even though "john.broadhead.p12" contains certificates for both the client and the intermediate CA, the TLS request only sends the client certificate. Because the server doesn't have the intermediate CA certificate, verification fails.

I have this same problem when trying to use the libcurl API as well.

Is this a bug, oversight. Something too difficult to implement? Or is there some trick that I'm missing?

-John
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-18