Add CURLE_SSL_CLIENTCERT error #6721
Conversation
|
As beginging, adding only to OSX. |
|
👉 View analysis in DeepCode’s Dashboard | Configure the bot |
There was a problem hiding this comment.
I lack a documentation update in docs/libcurl/libcurl-errors.3 but perhaps I'm mostly concerned that this creates a new return code and only it is only used in a single TLS backend, and in one that is mostly deprecated . Did you try to provide it for perhaps at least OpenSSL as well?
|
What is your use case for this error code, how is it necessary? |
|
@jay Our curl wrapper detects CURLE_SSL_CLIENTCERT error and negotiates with the other side, gets all the certificates, and let user to select the certain certificates. |
|
I don't mind adding a new error code for this condition. But... I think this error code needs to also be supported at least for OpenSSL to be acceptable (and preferably for even more). As a I said before: Secure Transport is more or less deprecated by Apple themselves now and adding a global new curl error code only supported in that niche backend I think isn't meeting the bar we should set for new error codes. |
|
I have ported the change to OpenSSL |
| @@ -3317,6 +3317,11 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, | |||
| error_buffer */ | |||
| strcpy(error_buffer, "SSL certificate verification failed"); | |||
| } | |||
| else if((lib == ERR_LIB_SSL) && | |||
| (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { | |||
There was a problem hiding this comment.
This sounds TLS 1.3 specific, isn't it?
There was a problem hiding this comment.
So you don't think it's a problem that if you happen to negotiate another TLS version you won't get this error code for the otherwise very similar situation?
There was a problem hiding this comment.
I would like to add the error code to other TLS versions, but don't know how yet. So, wanted to add concepts first TLS 1.3 and above then slowly add for other versions.
lib/vtls/openssl.c
Outdated
| @@ -3317,7 +3317,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, | |||
| error_buffer */ | |||
| strcpy(error_buffer, "SSL certificate verification failed"); | |||
| } | |||
| #if OPENSSL_VERSION_NUMBER >= 0x10101000L | |||
| #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) | |||
There was a problem hiding this comment.
Why is this excluding libressl? I think a comment here explaining this could be a good idea.
There was a problem hiding this comment.
SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on OpenSSL v1.1.1 above and added comments for it.
|
@bagder I have squashed the changes and added comments as requested. |
When server requests client certificate request during handshake, it returns generic error CURLE_SSL_CONNECT_ERROR. This is very specific error, and would like to be handled specifically, so adding different error code CURLE_SSL_CLIENTCERT
|
Do you have an easy method to reproduce this error? |
@gvollant If the mutual TLS authentication set on both client and server, client does not give its certificates, the error will be return. That is our use case and at that point client asks end user to select certificates for mutual handshake. (in case of client aware of multiple certificates, client does not know which one to provide, hence end users interaction is needed.) |
|
Thanks! |
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 curl#6721 Closes curl#11617
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 #6721 Reviewed-by: Jay Satiro Closes #11617
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 curl#6721 Reviewed-by: Jay Satiro Closes curl#11617
-When server requests client certificate request during handshake, it returns generic error CURLE_SSL_CONNECT_ERROR. This is very specific error, and would like to be handled specifically, so adding different error code CURLE_SSL_CLIENTCERT