curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl-7.84.0_9-win64-mingw - SChannel problem - The certificate chain was issued by an authority that is not trusted.

From: Krüger, Carsten via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Aug 2022 15:59:10 +0000

Hi,

I've trying to understand a windows specific problem regarding certificates.

I'd like to use the SChannel backend.

I'm enforcing the usage of SChannel via environment variable

PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin> [System.Environment]::SetEnvironmentVariable('CURL_SSL_BACKEND','schannel',[System.EnvironmentVariableTarget]::Process)
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin> .\curl.exe -iv https://tfs.de.kworld.kpmg.com -debug
* Trying 10.145.235.171:443...
* Connected to tfs.de.kworld.kpmg.com (10.145.235.171) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers h2
* ALPN: offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection 0
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
----
My problem is now the following.
Windows validates the certificate perfectly fine.
If I use Internet Explorer to browse the site I'll get a perfectly valid chain and same for Powershell
----
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\curl-7.84.0_9-win64-mingw\bin> Invoke-WebRequest -UseBasicParsing "https://tfs.de.kworld.kpmg.com" -UseDefaultCredentials
StatusCode        : 200
StatusDescription : OK
----
If I revert back to openssl backend, the corporate CA is missing (expected)
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin>  [System.Environment]::SetEnvironmentVariable('CURL_SSL_BACKEND','',[System.EnvironmentVariableTarget]::Process)
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin>  .\curl.exe -iv https://tfs.de.kworld.kpmg.com -debug
*   Trying 10.145.235.171:443...
* Connected to tfs.de.kworld.kpmg.com (10.145.235.171) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
----
I export the root CA certificate
$header="-----BEGIN CERTIFICATE-----`n"
$footer="`n-----END CERTIFICATE-----`n"
$kpmgrootcerts=Get-Childitem -Path Cert:\LocalMachine\root | where {$_.thumbprint -eq "9F3978578CDA894B03A0E94BA60BCD35BA1090B3"}
$output=''
foreach ($cert in $kpmgrootcerts)
{
  $formattedcert=$header
  $formattedcert+=[convert]::tobase64string($cert.RawData) -replace ".{64}" , "$&`n"
  $formattedcert+=$footer
  $formattedcert=$formattedcert -replace "(`r?`n){2}","`n"
  $output+=$formattedcert
}
$output | Out-File -FilePath 'C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin\curl-ca-bundle.crt' -Append -Encoding ascii -NoNewline
----
Now curl with openssl backend is working
It makes no sense for me that curl with SChannel backend is telling me that the authority is not trusted.
It's the same authority that is working for IE and Invoke-Webrequest and the same that is working for OpenSSL if I export it.
Do you have any ideas how to debug this?
----
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin>
PS C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin>  .\curl.exe -iv https://tfs.de.kworld.kpmg.com -debug
*   Trying 10.145.235.171:443...
* Connected to tfs.de.kworld.kpmg.com (10.145.235.171) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:\Users\ckruegeradi\curl-7.84.0_9-win64-mingw\bin\curl-ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: C=DE; ST=Germany; L=Berlin; O=KPMG; OU=KPMG ITS; CN=defr2app274.de.kworld.kpmg.com
*  start date: Apr  1 06:10:07 2021 GMT
*  expire date: Apr  1 06:10:07 2023 GMT
*  subjectAltName: host "tfs.de.kworld.kpmg.com" matched cert's "tfs.de.kworld.kpmg.com"
*  issuer: C=GO; ST=England; L=London; O=KPMG Internal Certificate Services; OU=KPMG High Assurance CA; CN=KPMG Internal Issuing CA GO06; emailAddress=go-fmitsglobalcertif_at_kpmg.com
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: POST]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: tfs.de.kworld.kpmg.com]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* h2h3 [content-length: 4]
* h2h3 [content-type: application/x-www-form-urlencoded]
* Using Stream ID: 1 (easy handle 0x1934bd4f320)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST / HTTP/2
> Host: tfs.de.kworld.kpmg.com
> user-agent: curl/7.84.0
> accept: */*
> content-length: 4
> content-type: application/x-www-form-urlencoded
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 401
HTTP/2 401
--
KPMG IT Service GmbH
Sitz/Registergericht: Berlin/Amtsgericht Charlottenburg, HRB 87521 B
Geschäftsführer: Hans-Christian Schwieger, Helmar Symmank
Aufsichtsratsvorsitzender: WP StB Klaus Becker
 
Allgemeine Informationen zur Datenverarbeitung im Rahmen unserer allgemeinen Geschäftstätigkeit sowie im Mandatsverhältnis gemäß EU Datenschutz-Grundverordnung sind hier <https://assets.kpmg/content/dam/kpmg/de/pdf/Themen/2022/07/datenschutzinformationen-fuer-betroffene-kpmg-it-service-gmbh.pdf> abrufbar.
 
Die Information in dieser E-Mail ist vertraulich und kann dem Berufsgeheimnis unterliegen. Sie ist ausschließlich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Maßnahmen im Vertrauen auf erlangte Information untersagt. In dieser E-Mail enthaltene Meinungen oder Empfehlungen unterliegen den Bedingungen des jeweiligen Mandatsverhältnisses mit dem Adressaten.
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter.
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2022-08-29