-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CURLE_SSL_CLIENTCERT error #6721
Conversation
As beginging, adding only to OSX. |
Congratulations 🎉. DeepCode analyzed your code in 0.724 seconds and we found no issues. Enjoy a moment of no bugs ☀️. 👉 View analysis in DeepCode’s Dashboard | Configure the bot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I lack a documentation update in docs/libcurl/libcurl-errors.3
but perhaps I'm mostly concerned that this creates a new return code and only it is only used in a single TLS backend, and in one that is mostly deprecated . Did you try to provide it for perhaps at least OpenSSL as well?
What is your use case for this error code, how is it necessary? |
@jay Our curl wrapper detects CURLE_SSL_CLIENTCERT error and negotiates with the other side, gets all the certificates, and let user to select the certain certificates. |
I don't mind adding a new error code for this condition. But... I think this error code needs to also be supported at least for OpenSSL to be acceptable (and preferably for even more). As a I said before: Secure Transport is more or less deprecated by Apple themselves now and adding a global new curl error code only supported in that niche backend I think isn't meeting the bar we should set for new error codes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this error code needs support in more TLS backends before we can merge support it.
I have ported the change to OpenSSL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would appreciate if you squashed this set of commits to the lowest number of commits you think think it should use - to ease reviewing.
@@ -3317,6 +3317,11 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, | |||
error_buffer */ | |||
strcpy(error_buffer, "SSL certificate verification failed"); | |||
} | |||
else if((lib == ERR_LIB_SSL) && | |||
(reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds TLS 1.3 specific, isn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that is true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you don't think it's a problem that if you happen to negotiate another TLS version you won't get this error code for the otherwise very similar situation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to add the error code to other TLS versions, but don't know how yet. So, wanted to add concepts first TLS 1.3 and above then slowly add for other versions.
lib/vtls/openssl.c
Outdated
@@ -3317,7 +3317,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, | |||
error_buffer */ | |||
strcpy(error_buffer, "SSL certificate verification failed"); | |||
} | |||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L | |||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this excluding libressl? I think a comment here explaining this could be a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on OpenSSL v1.1.1 above and added comments for it.
@bagder I have squashed the changes and added comments as requested. |
When server requests client certificate request during handshake, it returns generic error CURLE_SSL_CONNECT_ERROR. This is very specific error, and would like to be handled specifically, so adding different error code CURLE_SSL_CLIENTCERT
Do you have an easy method to reproduce this error? |
@gvollant If the mutual TLS authentication set on both client and server, client does not give its certificates, the error will be return. That is our use case and at that point client asks end user to select certificates for mutual handshake. (in case of client aware of multiple certificates, client does not know which one to provide, hence end users interaction is needed.) |
Thanks! |
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 curl#6721 Closes curl#11617
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 #6721 Reviewed-by: Jay Satiro Closes #11617
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the popular forks (yet). Use the macro itself to detect its presence, replacing the hard-wired fork-specific conditions. This way the feature will enable automatically when forks implement it, while also shorter and possibly requiring less future maintenance. Follow-up to 94241a9 curl#6721 Reviewed-by: Jay Satiro Closes curl#11617
-When server requests client certificate request during handshake, it returns generic error CURLE_SSL_CONNECT_ERROR. This is very specific error, and would like to be handled specifically, so adding different error code CURLE_SSL_CLIENTCERT