cURL / Mailing Lists / curl-library / Single Mail

curl-library

libcurl with darwinssl and client certificates

From: Fahim Chandurwala <fchandur.list_at_gmail.com>
Date: Tue, 15 Mar 2016 07:48:39 -0500

I was provided with a certificate and a password to it, to access a web
service. I installed this certificate, cert.p12, on OSX, and checked that
it was present in 'System' certificates.

The certificate is 'marked as trusted for all users' (looking at Keychain
Access App)

On OSX, libcurl is configured with flags:

--with-darwinssl --without-ssl

This was done so that libcurl will use the certificates found in Keychain
Access App. Here's the error I get

$ ./curl -v https://foo.com/servicename
* Trying 127.0.0.1...
* Connected to foo.com (127.0.0.1) port 443 (#0)
* SSL peer handshake failed, the server most likely requires a client
certificate to connect
* Closing connection 0
curl: (35) SSL peer handshake failed, the server most likely requires a
client certificate to connect

I _can_ get it to work if I do:

./curl -E cert.p12:pass http://foo.com/service

 Although I was hoping I wouldn't have to pass -E curl option as it
effectively does:

curl_easy_setopt(hnd, CURLOPT_KEYPASSWD, "pass");
curl_easy_setopt(hnd, CURLOPT_SSLCERT, "cert.p12");

On Windows, with libcurl built with Schannel installing the
certificate,crt.p12, is enough and setting CURLOPT_SSLCERT and
CURLOPT_KEYPASSWD is _not_ necessary.

Why the behavior on OSX is different ? Is this expected, or did I perhaps
installed the certificates incorrectly on mac?

--
PS:
$ ./curl --version
curl 7.47.1 (x86_64-apple-darwin15.3.0) libcurl/7.47.1 SecureTransport
zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-15