cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: cURL error 56 with SSL error -12195

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Wed, 15 Apr 2015 00:06:28 +0200

On Tue, Apr 14, 2015 at 09:40:00PM +0000, Alexandre Arantes wrote:
> Sorry,
>
> It might have been my mistake when posting it. The SSLCERT and SSLKEY are, in
> fact, defined by "realpath('../../certs/client.crt(key).pem".

The docs talk about relative paths being allowed, but realpath() produces an
absolute path. If you're saying that NSS supports that, then the libcurl docs
should really be updated to mention it since it only talks about relative paths
now.

>
> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
> From: Dan Fandrich <dan_at_coneharvesters.com>
> To: curl-library_at_cool.haxx.se
> Sent: Tuesday, April 14, 2015 2:12 PM
> Subject: Re: cURL error 56 with SSL error -12195
>
> On Tue, Apr 14, 2015 at 08:36:11PM +0000, Alexandre Arantes wrote:
> > I have an internal server (internal to my network) to which I make a REST API
> > call from an external server.
> > I don't know if it helps but the external server is running php 5.3.6 with
> cURL
> > 7.19.7.
> > To make it safer (other than a Firewall box that limits the external IP
> > addresses that can call myinternal server to only the static IP address of my
> > external server), I generated a self-signed SSL Server Certificate for my
> > internal server.
> > I also generated a Client Certificate to be used by my external server when
> > making the calls.
> > The calls are being made using the cURL library of PHP. The page that makes
> the
> > calls looks like this:
> [snip]
> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> =
> > = = = = = = = = = = = = = = = = = = = = = = = =
> >
> > <?php
> >
> > $mycurl = curl_init();
> > $verbose = fopen('curl_error_log','a');
> > $url_site = 'https://internal.server.com/api_test.php';
> >
> > $options = array(
> > CURLOPT_HEADER => false
> > ,CURLOPT_RETURNTRANSFER => true
> > ,CURLOPT_VERBOSE => true
> > ,CURLOPT_STDERR => $verbose
> > ,CURLOPT_HTTPHEADER => array('Accept: application/json')
> > ,CURLOPT_CAINFO => realpath('/certs/server/certs.pem')
> > ,CURLOPT_CAPATH => realpath('/certs/server')
> > ,CURLOPT_SSL_VERIFYPEER => true
> > ,CURLOPT_SSL_VERIFYHOST => 2
> > ,CURLOPT_SSLCERT => realpath('/certs/client.crt.pem')
> > ,CURLOPT_SSLKEY => realpath('/certs/client.key.pem')
> > ,CURLOPT_SSLCERTTYPE => 'PEM'
> > ,CURLOPT_URL => $url_site
> > );
> [snip]
>
>
>
> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> =
> > = = = = = = = = = = = = = = = = = = = = = = = =
> > And the verbose file (curl_error_log) has this:
> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> =
> > = = = = = = = = = = = = = = = = = = = = = = = =
> >
> > * About to connect() to internal.server.com port 443 (#0)
> > * Trying 111.222.333.444... * connected
> > * Connected to internal.server.com (111.222.333.444) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * CAfile: /certs/server/certs.pem
> > CApath: /certs/server
> > * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> > * Server certificate:
> > * subject: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> > * start date: Apr 13 15:15:38 2015 GMT
> > * expire date: Apr 12 15:15:38 2016 GMT
> > * common name: internal.server.com
> > * issuer: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> > > GET /api_test.php HTTP/1.1
> > Host: internal.server.com
> > Accept: application/json
> >
> > * NSS: client certificate from file
> > * subject: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> > * start date: Apr 13 15:26:48 2015 GMT
> > * expire date: Apr 12 15:26:48 2016 GMT
> > * common name: internal.server.com
> > * issuer: CN=internal.server.com,OU=BI,O=ABC Corp,L=City,ST=State,C=CO
> > * SSL read: errno -12195
> > * Closing connection #0
>
>
> You're using a libcurl compiled to use the NSS SSL library. That handles
> client certificates differently from other libraries. The CURLOPT_SSLCERT(3)
> man page describes the difference:
>
> With NSS or Secure Transport, this can also be the nickname
> of the certificate you wish to authenticate with as it is named in
> the security database. If you want to use a file from the current
> directory, please precede it with "./" prefix, in order to avoid
> confusion with a nickname.
>
> >>> Dan
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-15