Bugs item #2011303, was opened at 2008-07-05 17:17
Message generated for change (Settings changed) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2011303&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
>Status: Pending
Resolution: None
Priority: 5
Private: No
Submitted By: Gene Czarcinski (geneczarcinski)
Assigned to: Daniel Stenberg (bagder)
Summary: CA certificate "missing" for launchpad, bzr fails

Initial Comment:
System: x86_64, Fedora 9, last updated 7/4/2008

Downstream reports:
https://bugzilla.redhat.com/show_bug.cgi?id=454151
https://bugs.launchpad.net/bugs/245634

The basic problem is that I am trying to do:
   bzr launchpad-login gene-czarc
and it fails with:
curl: (60) Peer certificate cannot be authenticated ...

To check verify certificates, bzr uses pycurl which, in turn, uses libcurl. I have been tracking down through the code (I am not very good at python) as well as assuming that the CA cert was missing.
----------------------------------------------------
Here are the results of my latest testing:

First, I installed "curl" to have a nice command line
interface.

1. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://www.redhat.com
or run: curl https://www/redhat/com
both results: html

2. run: curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://launchpad.net
or run: curl https//launchpad.net
both results: curl: (60) Peer certificate cannot be authenticated ...
-----------------------------------------------------
get new cacert.pem from http://curl.haxx.se/docs/caextract.html
[curl website] ... I was assuming that a cert was missing
-----------------------------------------------------
3. run: curl --cacert ./cacert.pem https://www.redhat.com
result: html

4. run: curl --cacert ./cacert.pem https://launchpad.net
result: html ... looking good!
-----------------------------------------------------
This proves something but I am not sure what because if I copy the new cacert.pem into /etc/pki/tls/certs/ and try to use it from there, redhat works
but launchpad does not.
-------------------------------------------------
OK, one more test: copy /etc/pki/tls/certs/ca-bundle.crt to ./ [this is openssl's]

run curl --cacert ./ca-bundle.crt https://launchpad.net
result: html

So, this tells me that the CA cert has benn there all along!
-------------------------------------------------------
I have not looked into the libcurl code itself.

However, from the curl.spec in the src.rpm, the configuration looks good:
  --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt

but then there is this:

run: curl-config --ca
result: @CURL_CA_BUNDLE@

Oh, I also tried using an environment setting:

export CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
bzr launchpad-login gene-czarc
fails again.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-07-10 00:20

Message:
Logged In: YES
user_id=1110
Originator: NO

Well, let me again mention you using Fedora and thus not a "normal" NSS
version. I cannot repeat your failures at all, for me curl can't use that
cacert:

[build curl to use NSS 3.12.0.2 on Debian Unstable]
$ make ca-bundle
$ ./src/curl --cacert lib/ca-bundle.crt https://launchpad.net

This fails. Adding -v also makes it fail.

When I use -v I get a hint on why this doesn't work for me:

* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates will not work.

All references I find with Google say that lib is Fedora-only.

----------------------------------------------------------------------

Comment By: Gene Czarcinski (geneczarcinski)
Date: 2008-07-09 07:38

Message:
Logged In: YES
user_id=1180421
Originator: YES

File Added: curl-notworks-packet

----------------------------------------------------------------------

Comment By: Gene Czarcinski (geneczarcinski)
Date: 2008-07-09 07:37

Message:
Logged In: YES
user_id=1180421
Originator: YES

Yes, a lot of stuff is flying around. If you look closely, I have gotten
it to work with Fedora's ca-bundle.crt ... just not when it is in its
installed location. I have also run tests (which failed) where I replaced
Fedora's ca-bundle.crt with the cacert.pem file I downloaded from the
cur/libcurl website.

My latest test involved running wireshark to capture the packets for a
works and does-not-work run. I saved (exported as text file) the
certificate packets which I am attaching. I am really not very
knowledgable at the packet level but they look the same except for some
stuff at the beginning of the packet (which I would expect to be
different).

If I can run any test, etc. to shead some light on this, please ask.

For curl works I ran: curl --cacert ./ca-bundle.crt https://launchpad.net
>xxx

For curl notworks I ran: curl -v --cacert ./ca-bundle.crt
https://launchpad.net >xxx
File Added: curl-works-packet

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-07-07 20:08

Message:
Logged In: YES
user_id=1110
Originator: NO

I'm not sure I'm following you, there are a lot of pieces flying around
here!

First, off the libcurl in Fedora is build against an NSS version that is
Fedora-patched. It would be interesting to know if you see this problem
with libcurl that is built with other SSL/TLS libs than NSS or how it
behaves with a release-version of NSS.

Assuming we find a non-Fedora version that triggers this error (simply
because I don't have access to any machines running Fedora 9), what ca-cert
bundle do you use for it and are you saying that the bug only occurs if you
use -v/--verbose with it? Does it behave the same against all SSL sites or
only particular ones?

----------------------------------------------------------------------

Comment By: Gene Czarcinski (geneczarcinski)
Date: 2008-07-05 21:23

Message:
Logged In: YES
user_id=1180421
Originator: YES

This sure looks like there is an unitialized variable somewhere.

Note that the only thing between success and failure is running "-v"
verbose.
---------------------------------------------------------------------
[gc@falcon test]$ curl --cacert ./cacert.pem https://launchpad.net >xxx
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
100 13706 100 13706 0 0 10244 0 0:00:01 0:00:01 --:--:--
69573
[gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net
>xxx
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
100 13706 100 13706 0 0 5859 0 0:00:02 0:00:02 --:--:--
13665
[gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net
>xxx
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
100 13706 100 13706 0 0 11259 0 0:00:01 0:00:01 --:--:--
69573
[gc@falcon test]$ curl --cacert ./ca-bundle.crt https://launchpad.net
>xxx
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
100 13706 100 13706 0 0 13799 0 --:--:-- --:--:-- --:--:--
69222
-----------------------------------------------------------------------------------
[gc@falcon test]$ curl -v --cacert ./ca-bundle.crt https://launchpad.net
>xxx
* About to connect() to launchpad.net port 443 (#0)
* Trying 91.189.90.211... connected
* Connected to launchpad.net (91.189.90.211) port 443 (#0)
* CAfile: ./ca-bundle.crt
  CApath: none
* Bad certificate received. Subject = 'CN=launchpad.net,OU=Domain Control
Validated,O=launchpad.net', Issuer =
'E=practices_at_starfieldtech.com,CN=Starfield Secure Certification
Authority,OU=http://www.starfieldtech.com/repository,O="Starfield
Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates

curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

----------------------------------------------------------------------

Comment By: Gene Czarcinski (geneczarcinski)
Date: 2008-07-05 21:18

Message:
Logged In: YES
user_id=1180421
Originator: YES

I am slowly finding my way through the code ... currently going through
nss.c code. Here is more info:
-------------------------------------------------------------------------------------
$ curl -v https://launchpad.net >xxx
* About to connect() to launchpad.net port 443 (#0)
* Trying 91.189.90.211... connected
* Connected to launchpad.net (91.189.90.211) port 443 (#0)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Bad certificate received. Subject = 'CN=launchpad.net,OU=Domain Control
Validated,O=launchpad.net', Issuer =
'E=practices_at_starfieldtech.com,CN=Starfield Secure Certification
Authority,OU=http://www.starfieldtech.com/repository,O="Starfield
Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates

curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
----------------------------------------------------------------------------------
$ curl -v --cacert ./cacert.pem https://launchpad.net >xxx
* About to connect() to launchpad.net port 443 (#0)
* Trying 91.189.90.211... connected
* Connected to launchpad.net (91.189.90.211) port 443 (#0)
* CAfile: ./cacert.pem
  CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=launchpad.net,OU=Domain Control Validated,O=launchpad.net
* start date: Jul 25 18:24:13 2006 GMT
* expire date: Jul 25 18:24:13 2009 GMT
* common name: launchpad.net
* issuer: E=practices_at_starfieldtech.com,CN=Starfield Secure Certification
Authority,OU=http://www.starfieldtech.com/repository,O="Starfield
Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.18.2 (x86_64-redhat-linux-gnu) libcurl/7.18.2
NSS/3.12.0.3 zlib/1.2.3 libidn/0.6.14
> Host: launchpad.net
> Accept: */*
>
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:--
  0< HTTP/1.1 200 Ok
< Date: Sat, 05 Jul 2008 19:16:04 GMT
< Server: zope.server.http (HTTP)
< X-Powered-By: Zope (www.zope.org), Python (www.python.org)
< Content-Length: 13706
< Content-Type: text/html;charset=utf-8
< Set-Cookie: lp=xM8TSYrdXV7lowuySbHm8pZ1v7sDT7OMEpZmqyuhAoegv5wShHKVco;
Domain=.launchpad.net; expires=Sun, 05 Jul 2009 19:16:04 GMT; Path=/;
secure;
< Via: 1.1 launchpad.net
< Vary: Accept-Encoding
<
{ [data not shown]
100 13706 100 13706 0 0 8079 0 0:00:01 0:00:01 --:--:--
38392* Connection #0 to host launchpad.net left intact

* Closing connection #0

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2011303&group_id=976
Received on 2008-07-15