Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
-cacert behaves differently on Windows and Unix. Does this matter?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Rod Widdowson via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 9 May 2025 13:13:05 +0100
Let me start by stating up front that I do not profess to have any expertise in this area. This is just something I noticed while I
was spelunking some code and understanding the why's would help me a lot. So if what I am saying is flawed please point it out.
Consider my test website https://shibboleth.net/downloads/ . It is protected by a cert which is signed by a LetsEncrypt cert which
is signed by someone else. All fine.
If I capture these three certificates into their own pem files (endentity.pem, intermediate.pem, root.pem) and try the following
three commands on Unix it all works as I expect
curl --cacert endentity.pem https://shibboleth.net/downloads/
curl --cacert intermediate.pem https://shibboleth.net/downloads/
curl --cacert root.pem https://shibboleth.net/downloads/
in all three cases Curl/OpenSSl checks that the provided cert is in the chain somewhere and all is good according the PKIX spec and
hey presto the web page is printed to stdout.
On Windows it is different. The last line (where I specify the root cert) works, but the other two fail
> curl --cacert endentity.pem https://shibboleth.net/downloads/
> curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
> More details here: https://curl.se/docs/sslcerts.html
I can see in the code absolutely why this fails - it's to do with some very funky restrictions with how you are allowed to configure
your HCERTCHAINENGINE (schannel-verify line 667 or thereabouts). But this seems to work against the PKIX rules (according to my
limited understanding of them).
What I don't understand is why this isn't a bigger deal and how I should go about setting things up so that I can restrict my curl
connections to a specific certificate or only those signed by specific CA, not pretty much everyone in the whole world.
Additionally I'll observe that the curl code only ever inspects the first cert chain presented. I don't know if this matters, but
it would seem to argue that cross signing certificates might be problematic.
Thanks
Date: Fri, 9 May 2025 13:13:05 +0100
Let me start by stating up front that I do not profess to have any expertise in this area. This is just something I noticed while I
was spelunking some code and understanding the why's would help me a lot. So if what I am saying is flawed please point it out.
Consider my test website https://shibboleth.net/downloads/ . It is protected by a cert which is signed by a LetsEncrypt cert which
is signed by someone else. All fine.
If I capture these three certificates into their own pem files (endentity.pem, intermediate.pem, root.pem) and try the following
three commands on Unix it all works as I expect
curl --cacert endentity.pem https://shibboleth.net/downloads/
curl --cacert intermediate.pem https://shibboleth.net/downloads/
curl --cacert root.pem https://shibboleth.net/downloads/
in all three cases Curl/OpenSSl checks that the provided cert is in the chain somewhere and all is good according the PKIX spec and
hey presto the web page is printed to stdout.
On Windows it is different. The last line (where I specify the root cert) works, but the other two fail
> curl --cacert endentity.pem https://shibboleth.net/downloads/
> curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
> More details here: https://curl.se/docs/sslcerts.html
I can see in the code absolutely why this fails - it's to do with some very funky restrictions with how you are allowed to configure
your HCERTCHAINENGINE (schannel-verify line 667 or thereabouts). But this seems to work against the PKIX rules (according to my
limited understanding of them).
What I don't understand is why this isn't a bigger deal and how I should go about setting things up so that I can restrict my curl
connections to a specific certificate or only those signed by specific CA, not pretty much everyone in the whole world.
Additionally I'll observe that the curl code only ever inspects the first cert chain presented. I don't know if this matters, but
it would seem to argue that cross signing certificates might be problematic.
Thanks
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-05-09