-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl with nss doesn't send intermediate client certificates? #851
Comments
If that's not enough to spot the problem, please say, and I can spend time building a proper reproducible bug case. |
Are you even using the same CA cert store with NSS as with OpenSSL ? And you say "curl with nss doesn't send intermediate client certificates" while the NSS error message say https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr.html lists the error codes and for the above code it explains: "Peer does not recognize and trust the CA that issued your certificate." |
On Wednesday, June 01, 2016 10:55:47 Tom Fitzhenry wrote:
That would definitely help! I have never used such a client certificate Kamil |
@bagder I just checked with I think "Peer does not recognize and trust the CA that issued your certificate." means the server (NSS's peer) is the one having trust issues. That this error is under the section "All the error codes in the following block indicate that the local socket received an SSL3 or TLS alert record from the remote peer, reporting some issue that it had with an SSL record or handshake message it received." supports this too. I will produce a reproducible test case, however. |
On Thursday, June 02, 2016 02:22:23 Tom Fitzhenry wrote:
Exactly. That is also my understanding of the issue. I suspect the reason |
Oh, and when I tried the same scenario, but with Firefox (which uses NSS), it was able to connect, suggesting the problem is not NSS, but how curl uses NSS. But anyway, I need to talk less, and produce a test case. :) |
On Thursday, June 02, 2016 02:49:34 bbc-tomfitzhenry wrote:
Sort of. curl uses nss-pem to load certificates and keys from files, which Actually, you can try to use the SSL_DIR environment variable to make curl |
Out of date, this might be fixed if nss-pem is used. Feel free to (request a) reopen. |
I just ran into the same issue. Here is my setup:
It seems, that the intermediate CA is not sent in the SSL handshake, so the server cannot verify the client certificate. If the server knows about the intermediate certificate or I use |
Yes, nss-pem currently does not support client certificates signed by intermediate certificates. Please open a pull request at https://github.com/kdudka/nss-pem or at least help us with setting up a testing environment needed for development of the feature. As a workaround, you can import the client certificate to the native NSS database and make libcurl use it by setting the |
I'm working on a script setting up a test environment and perform a test case. |
Here is a script that produces a self-signed server certificate, a root CA, a client CA and a client certificate signed by the intermediate CA. After that it will run |
... because they may include an intermediate certificate for a _client_ certificate and the intermediate certificate needs to be presented to the server, no matter if we verify the peer or not. Reported-by: thraidh Closes curl#851
Thank you very much for providing the setup script! It looks like the only problem is that curl completely ignores the |
Thanks for your work. I'll check. |
Just added the |
Perfect. I can prepare a Copr repository for testing in case it helped. Just let me know which version of curl for which Fedora/EPEL release you prefer. If you are still using Fedora 22, it is no longer available as a choice in Copr but I can at least prepare a SRPM that you can easily rebuild locally. |
Fedora is just running on my desktop (for which I somehow don't find the time to upgrade) . The actual problem occurred on a CentOS 7, curl 7.29.0. I tried to apply your patch to the source RPM, but apparently the directory layout changed and then I got distracted by real life. I should be able to fix that tomorrow. |
Please try the packages of RHEL-7.3 curl with the above patch included from the following Copr: |
... because they may include an intermediate certificate for a client certificate and the intermediate certificate needs to be presented to the server, no matter if we verify the peer or not. Reported-by: thraidh Closes curl#851
I'll test as soon as possible. Unfortunately I got sick, so it may take some time. |
No worries. This is broken for 8+ years, so a few more days or weeks to get it fixed is fine. I wish you to get well soon! |
I did this
curl --cert client.crt --key client.crt https://server.that.prompts.for.client.certs.example.com/
where client.crt contains a client certificate, an intermediate certificate, and the corresponding private key.
I expected the following
Successful connection!
I actually got
curl/libcurl version
operating system
More details
When I execute the same command, with the same certificates, against a curl/openssl:
then it successfully connects.
When I execute the same command, with the same version of curl, against a host that has the full CA chain, then it successfully connects.
The text was updated successfully, but these errors were encountered: