cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Probs with client certificates

From: Georg Horn <horn_at_koblenz-net.de>
Date: Fri, 17 Oct 2003 15:12:02 +0200

Hi,

On Thu, Oct 16, 2003 at 04:48:13PM +0200, Daniel Stenberg wrote:
> On Thu, 16 Oct 2003, Georg Horn wrote:
>
> > curl: (56) SSL read error: 1
> > * Closing connection #0
> >
> > I think here we have a problem/bug?
>
> It certainly appears to be a bug, I agree. I'm afraid I don't have any useful
> work-around or shortcuts but to fire up the debugger and run the command line
> using it and single-step through lib/sendf.c:Curl_read() to figure how
> exactly how and why this fails.

I looked at the code and modified it a little bit, so that it prints out
the errormessage generated by openssl:

--cut---
--- sendf.c.orig 2003-08-11 11:56:06.000000000 +0200
+++ sendf.c 2003-10-16 19:01:37.000000000 +0200
@@ -386,7 +386,7 @@
       case SSL_ERROR_WANT_WRITE:
         /* there's data pending, re-invoke SSL_read() */
         return -1; /* basicly EWOULDBLOCK */
- case SSL_ERROR_SYSCALL:
+ default:
         /* openssl/ssl.h says "look at error stack/return value/errno" */
       {
         char error_buffer[120]; /* OpenSSL documents that this must be at least
@@ -397,9 +397,6 @@
               Curl_ourerrno() );
       }
       return CURLE_RECV_ERROR;
- default:
- failf(conn->data, "SSL read error: %d", err);
- return CURLE_RECV_ERROR;
       }
     }
   }
--cut---

That simply means that the error-message is printed in every case,
and not just in the case of SSL_ERROR_SYSCALL.

Then i get the following result:

    $ src/curl --cert /tmp/mgb2003.pem -k
            https://www2.postbank-banking.de/xmlapi/OB
    Enter PEM pass phrase:
    curl: (56) SSL read: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
    alert unknown ca, errno 0

I think i have the special case here, where the server renegotiates the
connection after the request ist sent, beacuse it requires a client certificate
only if certain URLs are requested, So this was no bug in curl, curl was just
not revealing what really went wrong, but a problem with my ca certificates. It
tourned out that the root certificates where missing. After adding my
ca-certificates to curls ca-bundle.crt and using that file with --cacert
it all works, but maybe the following things could be useful for a future
curl-release?

- apply the above patch?
- make curl able to continue with a warning even if certificate verification
  fails, like "openssl s_client" does? (My tries with s_client didn't really
  work, it always said "Verify return code: 19 (self signed certificate in
  certificate chain)" and continued anyway, but now it says "Verify return
  code: 0 (ok)"

Bye,
Georg

-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise
Linux in the Boardroom; in the Front Office; & in the Server Room
http://www.enterpriselinuxforum.com
Received on 2003-10-19