cURL / Mailing Lists / curl-library / Single Mail

curl-library

Sending SSL Client Certificate via schannel

From: David Morris <david.morris_at_envitia.com>
Date: Tue, 7 Jun 2016 10:16:33 +0000

Hi,

I'm attempting to use libcurl (details at bottom) to send an SSL certificate which will be used for authentication on the server. libCurl has been compiled to use schannel. All of the examples I've found online show how to do it using NSS (and it works when using curl for Cygwin).

When doing it via my program I always get the following error message (in my Java web service) regardless of any of the options I use via curl_easy_setopt.

*** ServerHelloDone
http-nio-8443-exec-8, WRITE: TLSv1.2 Handshake, length = 2026
http-nio-8443-exec-9, READ: TLSv1.2 Handshake, length = 141
*** Certificate chain
<Empty>
***
http-nio-8443-exec-9, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-7, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256]
http-nio-8443-exec-9, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
http-nio-8443-exec-9, WRITE: TLSv1.2 Alert, length = 2
http-nio-8443-exec-9, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8443-exec-9, called closeOutbound()
http-nio-8443-exec-9, closeOutboundInternal()

I've seen similar error messages when developing with C# against my same Java webservice, and was caused by the C# not sending the certificate or by sending a certificate signed by a root authority (Domain Controller I think it was) however I'm using self-signed certificates here.

C++ Code snippet:

  CURLcode trc;
  trc = curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);

 // trc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, FALSE);
  trc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  trc = curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, "password for key");
  trc = curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "password for key");
  trc = curl_easy_setopt(curl, CURLOPT_SSLCERTPASSWD, "password for key");
  // curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_DEFAULT );
  trc = curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "P12");
  trc = curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "P12");
  trc = curl_easy_setopt(curl, CURLOPT_SSLCERT, "CERTNAME" );
  trc = curl_easy_setopt(curl, CURLOPT_SSLKEY, "CERTNAME" ); // private key
  trc = curl_easy_setopt(curl, CURLOPT_USE_SSL, (long)CURLUSESSL_ALL);

  CURLcode rc = curl_easy_perform( curl ) ;

Libcurl build details
Version: 7.43.0
Platform: Windows 7, 64bit
Compiler flags: WIN32;_DEBUG;_WINDOWS;_USRDLL;BUILDING_LIBCURL;HAVE_ZLIB_H;HAVE_ZLIB;HAVE_LIBZ;USE_IDN;USE_IPV6;USE_WINDOWS_SSPI;USE_SCHANNEL;

Question 1
Does schannel support using SSL certificates for authentication, the following code snippet from static CURLcode
schannel_connect_step2(struct connectdata *conn, int sockindex) indicates that it doesn't.

   /* If the server has requested a client certificate, attempt to continue
       the handshake without one. This will allow connections to servers which
       request a client certificate but do not require it. */
    if(sspi_status == SEC_I_INCOMPLETE_CREDENTIALS &&
       !(connssl->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
      connssl->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
      connssl->connecting_state = ssl_connect_2_writing;
      infof(data, "schannel: a client certificate has been requested\n");
      return CURLE_OK;
    }

Question 2
Assuming schannel supports the functionality I'm after, I'm unsure what values I should be putting for SSLCERT or SSLCERT should be the name of the certificate in the windows keystore or the path to a certificate. The NSS examples seem to indicate a path but neither seem to work for me. Is there an example anywhere?

David Morris Msc Bsc
Senior Software Engineer
ENVITIA
See the world as it really is
Tel +44 (0)1403 273 173 . Fax +44 (0)1403 273 123 . Email david.morris_at_envitia.com<mailto:david.morris_at_envitia.com> . Skype david.morris_at_envitia.com<sip:david.morris_at_envitia.com>
www.envitia.com<http://envitia.com/> . www.maplinkpro.com<http://www.maplinkpro.com/> . Blog<http://www.envitia.com/blog/> . Twitter<https://twitter.com/envitia> . LinkedIn<http://www.linkedin.com/company/248025>
..........................................................................................

[cid:image003.jpg_at_01D1C0AD.EA069470]

Certified to ISO 9001:2008 Quality Management System and TickITplus Foundation Level

This email is intended for the use of the addressee(s) only. The content and any attachments may be privileged and/or contain confidential information and copyright material. If you are not the addressee you may not use, copy or disclose the information in it. If you receive this email by mistake, please advise the sender by using the reply facility in your email software or the contact information above, before deleting it and destroying any hard copies.
We accept no responsibility or liability for content in this email that is personal or otherwise unconnected with our business. Although this email and attachments have been swept for viruses, we do not accept liability for any loss arising from its use.

Envitia Ltd
Registered No: 2348404 England
North Heath Lane, Horsham, West Sussex RH12 5UX

Please consider the environment before printing this email
..........................................................................................

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

image003.jpg
Received on 2016-06-07