Hello,

I am trying to use curl to operate with one https web-site that uses
mutual authentication. When I type the following command in the
terminal:

curl --cert host.crt --key host.key --cacert root.crt
"https://ddns1.XXX/ddns/do.php?something"

Everything works and i am getting 200 OK back.

Now we need this command to be executed by our application. I found a
matching example at curl
http://curl.haxx.se/lxr/source/docs/examples/simplessl.c

I saved the file and changed there only location of the certificates
and key, and also changed the URL (line 68) to the same we use with
the command line tool - https://ddns1.XXX/ddns/do.php?something. I
also added another line after line 111:
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1L);
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYHOST,1L);

Thus, now it would perform the mutual authentication. Besides that i
added print out return value of the curl_easy_perform as follows:

res = curl_easy_perform(curl);
printf("%d\n", res);

And build it with "gcc -lcurl simplessl.c -o simplessl.c"

Surprisingly, instead of the 200 OK (which would be obvious to
receive) i am getting back "gnutls_handshake() failed: Decrypti 0"

The first bug - the error code 0 indicates that "All fine" and no
error occurred. But "reply" from the server tells completely
different.

I made a small investigation and figured out that curl for command
line uses OpenSSL by default, but the libcurl for some reasons uses
GnuTLS. Then changed libcurl.so to use libcurl.so.4.0.1 instead of
libcurl-gnutls.so. And the simplessl code magically started to work
(return 200 OK). This is the second bug - most likely licurl uses
gnutls (in case of mutual authentication) is a wrong way.

My version of curl is:
curl 7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g
zlib/1.2.3.3 libidn/1.1
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
Received on 2008-10-10