cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl_easy_perform() fails with "Problem with the SSL CA cert (path? access rights?)" after first time calling this routine

From: cnm marketing <cnn.marketing_at_gmail.com>
Date: Sat, 16 Mar 2013 17:16:45 -0400

We'll try your way and Yang's way to debug and see what the data looks like
in the openssl layer.

I am a bit confused by Yang's comment "The problem is in the certificate
you are using which does not have a long enough Diffie-Hellman key.", as I
said the same error message shows up when I use the cert.pemm file or skip
the verifypeer check. How can the problem relate to the certificate if we
don't pass in cert.pem to libcurl.

We also notice the comment in the link
http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777 for
"FIPS-compliant constraints of the SSL stack there". The other group are
still trying to verify this.

If I understand your comment correctly, are you saying libcurl uses the
openssl in the system (Linux) and OUR underneath software layers may use
other openssl from other area??!

On Sat, Mar 16, 2013 at 7:33 AM, cnm marketing <cnn.marketing_at_gmail.com>wrote:

> Thanks for the suggestion Oscar!
>
> We are still doing research on the link
> http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777
> providered by Daniel, because it invokes other groups' work, it will take
> a while.
>
> In the meantime, we'd like to know in libcurl:
> 1. How do you invoke openssl in the case of CURLOPT_SSL_VERIFYPEER 0 and
> 1. Do you suppose to skip CA verification if CURLOPT_SSL_VERIFYPEER is 0,
> if it does, the how come you still have "*error:0506706E:Diffie-Hellman
> routines:GENERATE_KEY:key size too small*". Or this error has nothing to
> do with CURLOPT_SSL_VERIFYPEER ?! I am a bit confused by Yang's comment on
> checking the openssl key.
> 2. libcurl does not have any option to reset the key size, correct?
> 3. Since we have other layers that invokes openssl or/and bsafe, in our
> software we are not the one first get loaded into the memory, so the
> openssl from libcurl will use the openssl loaded by other layer. The reason
> that we think this may have something to do with the mixed openssl is - we
> create a small program that use the exact libcurl routine, this program
> works perfectly fine. It fails with the error "*error:0506706E:Diffie-Hellman
> routines:GENERATE_KEY:key size too small*" when we integrate this piece
> of code to our software layer. Any thought on this.
>
> On Fri, Mar 15, 2013 at 4:26 PM, cnm marketing <cnn.marketing_at_gmail.com>wrote:
>
>> >*error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>> small *
>> >libcurl does not fool around with certificate contents nor keys.
>> [cnm] libcurl uses openssl, that error message comes from openssl.
>> >The problem is in the certificate you are using which does not have a
>> long enough Diffie-Hellman key.
>> [cnm] I don't understand what you are refering to, please give a bit more
>> details. When we use libcurl, we don't set Diffie-Hellman key. We are
>> getting the same Diffie-Hellman error message for both CURLOPT_SSL_VERIFYPEER
>> to 1 and CURLOPT_SSL_VERIFYPEER to 0. Please refer to my previous email
>> thread!!
>>
>>
>> On Fri, Mar 15, 2013 at 2:59 PM, cnm marketing <cnn.marketing_at_gmail.com>wrote:
>>
>>> >error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small
>>> 1. When libcurl uses Diffie-Hellman, does libcurl hardcode the
>>> Diffie-Hellman key and the length?
>>> 2. Does libcurl have an option that allow libcurl user to re-set the
>>> Diffie-Hellman key length?
>>> We are still wondering (90% convinced) whether the error message has
>>> something to do with the openssl that is getting loaded from another layer.
>>> When the openssl is being loaded by another layer, libcurl is trying to use
>>> that openssl context and find the key size (set by libcurl) is too small
>>> compare to the key set by another layer.
>>>
>>>
>>>
>>>
>>> On Fri, Mar 15, 2013 at 2:00 PM, cnm marketing <cnn.marketing_at_gmail.com>wrote:
>>>
>>>> >What SSL implementation is your libcurl using? How is the SSL stack
>>>> build and how did you build libcurl?
>>>> [cnm]
>>>> 1. I am not sure if I understand your first question, we use libcurl,
>>>> if libcurl uses ssl, then we use whatever is on the system, in our case, we
>>>> use openssl.
>>>> 2. We use dlopen()/dlsym()/dlclose() to load libcurl library. This is
>>>> the ONLY way that we can fit libcurl into our software layers. There are at
>>>> least 3 different layers in our layer that uses openssl, we are not the
>>>> first one to be loaded.
>>>>
>>>> On Fri, Mar 15, 2013 at 12:59 PM, cnm marketing <
>>>> cnn.marketing_at_gmail.com> wrote:
>>>>
>>>>> >libcurl is able to use 9 different SSL implementation as its SSL
>>>>> library for SSL connections. And yes, OpenSSL is one of them.
>>>>> [cnm] Does libcurl statically link ssl or dynamically load those ssl?
>>>>>
>>>>> >I've never seen the error message
>>>>> *> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>>>> small
>>>>> *
>>>>> [cnm] If you believe this error message is NOT from libcurl itself,
>>>>> then I believe this error message is from the openssl routines that the
>>>>> libcurl invokes. The question is why openssl throw this error, and in what
>>>>> situation (from libcurl code) this error will be throwed from libcurl?
>>>>> >What SSL implementation is your libcurl using? How is the SSL stack
>>>>> build and how did you build libcurl?
>>>>> [cnm]
>>>>> 1. I am not sure if I understand your first question, we use libcurl,
>>>>> if libcurl uses ssl, then we use whatever is on the system, in our case, we
>>>>> use openssl.
>>>>> 2. We use dlopen()/dlsym()/dlclose() to load libcurl library. This is
>>>>> the ONLY way that we can fit libcurl into our software layers. I need to
>>>>> check with other groups and see how many they use ssl in their layers. I'll
>>>>> get back to you on this.
>>>>>
>>>>>
>>>>> On Fri, Mar 15, 2013 at 10:44 AM, cnm marketing <
>>>>> cnn.marketing_at_gmail.com> wrote:
>>>>>
>>>>>> How that can be? Does libcurl also use openssl?
>>>>>>
>>>>>> From my code, I only invoke libcurl routines. Again the following
>>>>>> output are the libcurl output by using CURLOPT_VERBOSE and CURLOPT_STDERR.
>>>>>> When setting CURLOPT_SSL_VERIFYHOST to 1, we got the debug1.txt
>>>>>> output, when setting CURLOPT_SSL_VERIFYHOST to 0, we get the
>>>>>> debug.txt output
>>>>>>
>>>>>>
>>>>>> [root_at_l2se0132 bin]# more /debug1.txt
>>>>>>
>>>>>> * About to connect() to l2se0060.lss.emc.com port 8443 (#0)
>>>>>>
>>>>>> * Trying 10.247.73.60...
>>>>>>
>>>>>> * Connected to l2se0060.lss.emc.com (10.247.73.60) port 8443 (#0)
>>>>>>
>>>>>> * successfully set certificate verify locations:
>>>>>>
>>>>>> * CAfile: /usr/yhuang/cert.pem
>>>>>>
>>>>>> CApath: none
>>>>>>
>>>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>>>>> small
>>>>>>
>>>>>> * Closing connection 0
>>>>>>
>>>>>>
>>>>>>
>>>>>> [root_at_l2se0132 bin]# more /debug.txt
>>>>>>
>>>>>> * About to connect() to l2se0060.lss.emc.com port 8443 (#0)
>>>>>>
>>>>>> * Trying 10.247.73.60...
>>>>>>
>>>>>> * Connected to l2se0060.lss.emc.com (10.247.73.60) port 8443 (#0)
>>>>>>
>>>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>>>>> small
>>>>>>
>>>>>> * Closing connection 0
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 15, 2013 at 3:45 AM, Daniel Stenberg <daniel_at_haxx.se>wrote:
>>>>>>
>>>>>>> On Thu, 14 Mar 2013, cnm marketing wrote:
>>>>>>>
>>>>>>> * error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too
>>>>>>>> small
>>>>>>>>
>>>>>>>
>>>>>>> Please stop top-posting and full-quoting.
>>>>>>>
>>>>>>> My 3.2 seconds of googling on this topic lead to this:
>>>>>>>
>>>>>>> http://comments.gmane.org/**gmane.comp.encryption.openssl.**
>>>>>>> user/43777<http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> / daniel.haxx.se
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-16