-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Difference in sending TLS client cert with Issuer DN list mismatch #1411
Comments
I just ran into the same problem. I think the appropriate solution in the GnuTLS backend would be to make use of gnutls_certificate_set_retrieve_function. This allows to specify the certificate and private key that should be used by the client in the TLS handshake. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Problem remains |
It seems nobody is capable of working on this issue for now, making it subject to get added to the |
Wouldn't it be enough to add GNUTLS_FORCE_CLIENT_CERT flag to gnutls_init function call in Line 636 in aeaa22d
|
@ksuszka yes it sounds like that may be an even easier fix. It looks like that flag was added in GnuTLS Version 3.5.0 (released 2016-05-09). |
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. GnuTLS's default behavior is to not send a client certificate if there is no match. However, OpenSSL's default behavior is to send the configured certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL behavior. Fixes curl#1411
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. GnuTLS's default behavior is to not send a client certificate if there is no match. However, OpenSSL's default behavior is to send the configured certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL behavior. Authored-by: jethrogb on github Fixes #1411 Closes #4958
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. In curl, when the specified client certificate doesn't match any of the server-specified DNs, the OpenSSL and GnuTLS backends behave differently.
I did this
Here I'm running a simple TLS server that requests client certificates with an issuer CN=serv.
(Note: you can have the server send an empty issuer DN list by omitting the
-CAfile s.crt
parameters.)Generate a client cert with a different issuer (CN=clnt):
Try connecting with the OpenSSL backend:
The client certificate is sent.
With the GnuTLS backend:
No client certificate is sent.
I expected the following
I expected that GnuTLS and OpenSSL backends would behave the same. In particular, I would have a preference for the GnuTLS backend behaving like the OpenSSL backend. To do that, look at
cert_callback
in gnutls-cli.curl/libcurl version
See above
operating system
Ubuntu 16.04
The text was updated successfully, but these errors were encountered: