Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl TLS mutual authentication with pkcs11 error

From: Batuhan Ceylan via curl-users <curl-users_at_cool.haxx.se>
Date: Thu, 17 Oct 2019 14:00:15 +0300

Hi,

I'm trying to do TLS mutual authentication where client key resides in HSM.
I have created private PKI with root certificate, intermediate certificate,
server certificate and client certificate. I have tested with openssl's
s_server and s_client cli tools and it works.

s_server:
openssl s_server -key /path/to/serverkey.pem -cert /path/to/servercert.pem
-accept 8443 -www -Verify 5 -CAfile /path/to/CAcert.pem

s_client:
 openssl s_client -engine pkcs11 -verify 5 -CAfile /path/to/CAcert.pem
-keyform engine -key "pkcs11:model=...;type=private" -cert
/path/to/clientcert.pem -connect localhost:8443

Both return `verify return:1` with certificate details of respective peer.

Now I'm trying to achieve the same in curl. I use the command below while
openssl s_server still running.

curl -vvv --engine pkcs11 --cacert /path/to/CAcert.pem --key-type ENG --key
"pkcs11:model=...;type=private" --cert-type PEM --cert
/path/to/clientcert.pem https://localhost:8443

However, this isn't working. Output.

curl:
Trying 127.0.0.1:8443...
TCP_NODELAY set
Connected to localhost (127.0.0.1) port 8443 (#0)
ALPN, offering http/1.1
Enter PKCS#11 token PIN for <token_name>: **I enter my PIN**
successfully set certificate verify locations:
    CAfile: /path/to/Cacert.pem
    CApath: None
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (3):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Request CERT (13):
TLSv1.3 (IN), TLS handshake, Certificate (11):
Segmentation fault (core dumped)

openssl s_server:
ERROR
shutting down SSL
CONNECTION CLOSED

I guess when s_server asks for client certificate from its peer curl can't
access PKCS#11 interface. Curl uses the same openssl installation as
s_server/s_client. Does anyone have any suggestions?

batuhan

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-10-17