cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: need help

From: Seshubabu Pasam <pasam_at_seshubabu.com>
Date: Wed, 02 Mar 2005 00:21:46 -0800

First of all, you are using the wrong curl option for root_ca_cert.pem. Assuming this contains the trusted certificate chain, you should use: CURLOPT_CAINFO. This option will be used only if VERIFYPEER option is set to 1 (TRUE).

If your webserver requires that a certificate MUST be presented by the client, you need to also set the following options in your code:

CURLOPT_SSLCERT
CURLOPT_SSLKEY
CURLOPT_SSLKEYPASSWD
.....

If you webserver ACCEPTS a client certificate but does not require it, you don't need the above options, but you still need CURLOPT_CAINFO.

Regards
-Seshubabu Pasam

Aniruddha Diwakar wrote:

Hello,

I am using libCURL for client cert authentication is any body has worked on this before.

I am in bit confusion regarding this client cert authentication.

Apache (1.3) webserver's httpd.conf file contains one directive SSLVerifyClient, if we set it to require then browser will ask us client certificate and after supplying the client cert it will show apache welcome page.

Suppose if I try this functionality thr' the code as below by setting this directive to wither optional or none then it is working fine.

curl_easy_setopt(curl, CURLOPT_URL, https://ps0733:7878/);

if(rc=curl_easy_setopt(curl,CURLOPT_CAPATH,"/home/qa/software/ws/apache/apache-1.3.33_ssl_7878/conf/root_ca_cert.pem")!=CURLE_OK)

{

fprintf(headerfile,"can't set ca path\n");

}

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,1);

res = curl_easy_perform(curl);

however if we set this directive to require then it will show the attached log contains. also Webserver log shows following thing,

OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]

that means server is waiting for client certificate. can you please let me know your view to address this issue.

Also please let me kno what exactly CURLOPT_SSL_VERIFYPEER does.

Regards

Aniruddha

Aniruddha Diwakar
Persistent Systems Pvt Ltd.
Tel : 25678900 X : 2490
== Info: About to connect() to ps0733 port 7878
== Info:   Trying 192.168.12.211... == Info: connected
== Info: Connected to ps0733 (192.168.12.211) port 7878
== Info: successfully set certificate verify locations:
== Info:   CAfile: none
  CApath: /home/qa/software/ws/apache/apache-1.3.33_ssl_7878/conf/root_ca_cert.pem
== Info: SSLv2, Client hello (1):
<= Send SSL data, 130 bytes
....i......9..8..5..............3..2../...........f..............c..b..a........
...@..e..d..`........................<...tg.,..~9.
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes
...F..B$W..#........,nM...D..,....8..* ..Da./....e.......Qm.m%s.5...N.e.9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 883 bytes
...o..l..i0..e0...........0...*.H........0..1.0...U....US1.0...U....CU1.0...U...
.CA1.0...U....Oblix1.0...U....qa1.0...U....ps07331-0+..*.H........ajay_verghese@
persistent.co.in0...041209125026Z..320425125026Z0..1.0...U....US1.0...U....CU1.0
...U....CA1.0...U....Oblix1.0...U....qa1.0...U....ps07331-0+..*.H........ajay_ve
rghese@persistent.co.in0..0...*.H............0........y;.cel..j.+.......fgNq0..|
...Z...i..'......9.d.*..th6W..M.....:"..T.....:T[.8"..I...PtY.."....N.T.U*.fmy. 
....j.....m..`..5.Rc........0..0...U......rb........#.F..`....0....U.#...0....rb
........#.F..`..........0..1.0...U....US1.0...U....CU1.0...U....CA1.0...U....Obl
ix1.0...U....qa1.0...U....ps07331-0+..*.H........ajay_verghese@persistent.co.in.
..0...U....0....0...*.H............'.0.{#?.+.ZTlH..x1.... .}....]......Ki.x.$...
....{I"....n.&m!....$4T..m..(.m./<v..b.7.^..nw...}.\.c...-.Q..7.......qR.....Hd.
.u.
== Info: SSLv3, TLS handshake, Server key exchange (12):
<= Recv SSL data, 397 bytes
.........=I[.,|.....y.....Q..^* d.Jy.p...Y..#.....0H../..< ..H..n.....>7.yNS'.a.
.....\`D..=v.^.......<.N.......Q6.&.V...8..#.PP......k.....CA..-y*>...A...].db8u
P.b.........h.b6 .&."...7s..u.q.:?.m.......,g.j.......pit......iY.R..\.n.|......
e$..U-.....q4.y......u.i/m....1..y(....[..w.`.....{..^..z.....@...S.g.x!..D?S.W.
......1..7.=.f....p.r.h..Se...........8...c..X..$.._.2"q.jH.......k.<T.V^o.6.
== Info: SSLv3, TLS handshake, Request CERT (13):
<= Recv SSL data, 118 bytes
...r......k.i0g1.0...U....US1.0...U....CA1.0...U....CU1.0...U....Security1.0...U
....PSPL1.0...U....Certificate Manager
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes
....
== Info: SSLv3, TLS handshake, CERT (11):
<= Send SSL data, 7 bytes
.......
== Info: SSLv3, TLS handshake, Client key exchange (16):
<= Send SSL data, 134 bytes
......MC....3..Y.....*..p......3.4]....E.......L/..+e. .X.^..?...J i.:..}@......
  
9.T..\$..:Q..`.Tp....|...)..uj.l....x......<..w......
    
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Send SSL data, 1 bytes
.
== Info: SSLv3, TLS handshake, Finished (20):
<= Send SSL data, 16 bytes
.....(.....l`C..
== Info: SSLv3, TLS alert, Server hello (2):
<= Recv SSL data, 2 bytes
.(
== Info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
== Info: Closing connection #0
  

text/x-vcard attachment: pasam.vcf

Received on 2005-03-02

This message: [ Message body ]
Next message: Seshubabu Pasam: "Re: SSL client authentication"
Previous message: Aniruddha Diwakar: "need help"
In reply to: Aniruddha Diwakar: "need help"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]