-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl3_get_server_certificate:wrong certificate type (gost https server) #447
Comments
Perhaps try to specfy the ciphers in CLI (see man). |
cURL was updated:
when:
Hmmm
|
|
Sorry, it is me again On latest version of a cURL I am catched error:
But server certificate looks ok (for me) |
Additional info about server cert:
Latest string is differs from openssl config string:
It is important in this case? |
but with CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet openssl connection works fine:
|
Tried to use libcurl with same result (dlang code): import std.net.curl;
import std.stdio;
void main()
{
auto r = HTTP("zakupki");
r.handle.set(etc.c.curl.CurlOption.sslengine, "gost");
r.handle.set(etc.c.curl.CurlOption.verbose, 1);
r.verifyPeer = false;
r.verifyHost = false;
string content = std.net.curl.post("https://zakupki.gov.ru/pgz/services/upload", "asd", r).idup;
writeln(content);
}
|
To me it sounds like you need to use the openssl engine 'gost' and then you should be able to specify that as a cipher. |
already use it
cipher detected by openssl automatically, probably "SSL routines:ssl3_get_server_certificate:wrong certificate type" is error from openssl library. But in openssl CLI request works fine. |
Then I suggest some good old fashioned debugging to figure out where it goes wrong and why... |
I wrote with hope that anybody point out to an issue in my actions... |
I don't know either. Never used gost. The |
What version of OpenSSL are you using? Anyway, if the parameters in $ CRYPT_PARAMS=id-Gost28147-89-CryptoPro-A-ParamSet ./src/curl -v -k --engine gost https://zakupki.gov.ru/pgz/services/upload I haven't tested this though. |
I tested this, but unfortunately it doesn't work either. This is with openssl from git master from just a few minutes ago. |
1.0.2d-2 from Debian experimental |
TL;DR This is a bug, try the fix Long part: https://github.com/bagder/curl/blob/curl-7_44_0/lib/vtls/openssl.c#L708-L729 The easy solution for this is we initialize all algorithms after loading the config file. That was proposed in #206 several months ago but ultimately no change was made. I was unsure about it at that time and deferred. I think this is a pretty good use case for why we should take another look. To that end I've resurrected @ex-troll's patch which fixes the issue for me. (Edit 2015-09-28: Fix landed in 69b8905) This may be related just to a dynamic module being loaded due to config because I found someone on the internet has been using GOST successfully, presumably without this patch. I needed the patch though.
I didn't need to set
Take caution using the
|
Of course! -k was used only for ease of explanation here. |
This patch is work for me! Thanks! |
I think the diff looks fine and shouldn't cause any problems. Will you merge @jay to give us a few days to test this before the pending release? |
- Change algorithm init to happen after OpenSSL config load. Additional algorithms may be available due to the user's config so we initialize the algorithms after the user's config is loaded. Bug: #447 Reported-by: Denis Feklushkin
👍 |
- Change algorithm init to happen after OpenSSL config load. Additional algorithms may be available due to the user's config so we initialize the algorithms after the user's config is loaded. Bug: curl#447 Reported-by: Denis Feklushkin
Catching up, My crypto.mk: https://gist.github.com/solardatov/8b57675f8b2e3a736de020f1f0ca078a My code sample how I do https request: https://gist.github.com/solardatov/fe6b1488b12a2cef4b94aebbf1c5d533 Btw, curl_easy_setopt(pCurl, CURLOPT_SSLENGINE, "gost") always fail with CURLE_SSL_ENGINE_NOTFOUND |
@solardatov Yes, the fix is libcurl >= 7.45.0 will init algorithms after loading the conf. Your issue appears to be unrelated so please don't continue to discuss it in this thread. Before filing an issue for this you should ask on the libcurl mailing list and see if anyone there is using GOST and can help you. Note libcurl also returns |
Setup:
Checking:
The text was updated successfully, but these errors were encountered: