Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Multi-threading, NSS, client certificates and Linux problem

From: Pawel Veselov <pawel.veselov_at_gmail.com>
Date: Thu, 19 Jan 2017 00:27:57 -0800

Hello.

I have a project that uses libcurl. Recently I have attempted to enabled
concurrent data exchange. The connections established by the client are
both HTTPS and use client-side X.509 certificates for authentication.

The problem is that, if used concurrently, NSS seems to not include, or
include partially, the certificate that is to be sent out to the server. It
results into:
1) Server replying with 401 because no certificates were attached
2) Server replying with SSL error, because certificate fails validation,
CURL returns error 58.
3) Only some connections exhibit this problem.

Note that in all cases, the connections being opened in parallel use
*different* X.509 certificate/keys. Everything works perfectly well if
executed in a single thread. FORBID_REUSE is set on every connection. curl
objects are never reused, always destroyed/recreated. Using "easy"
interface.

Running strace on the process, I can see NSS accessing the correct PEM
files, but simply not including the certificate (point #1). I assume there
are some invalid bits for point #2 (the correct certificate seems to be
included), but figuring it out is somewhat tedious. I assume that the
problems are related, and #1 is more clear cut.

I was wondering whether this was a known problem, and what is the best
approach to debugging it. Considering I've not been around NSS or libcurl
code before, any pointers on where to dig would be highly appreciated.

Configurations:

AWS Linux:
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 NSS/3.21.3 Basic ECC
zlib/1.2.8 libidn/1.18 libpsl/0.6.2 (+libicu/50.1.2) libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
SSL libz UnixSockets PSL

FC 23:
curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.26 zlib/1.2.8
libidn/1.33 libssh2/1.6.0 nghttp2/1.7.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
SSL libz HTTP2 UnixSockets Metalink

Thank you!
  Pawel.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-01-19