Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add details to error: "unable to set client certificate" #9228

Closed
wants to merge 1 commit into from

Conversation

opensignature
Copy link
Contributor

@opensignature opensignature commented Jul 30, 2022

error "unable to set client certificate" is, imho, too generic.
I would add the message from openssl.
In my case:
from: "curl: (58) unable to set client certificate"
to: curl: (58) unable to set client certificate [error:0A00018F:SSL routines::ee key too small]

@dfandrich
Copy link
Collaborator

dfandrich commented Jul 30, 2022

@emilengler
Copy link
Contributor

emilengler commented Jul 30, 2022

At that point I think it would be better to write a wrapper function for failf to always include the OpenSSL error instead of this patch at just one place in the code.

@opensignature
Copy link
Contributor Author

opensignature commented Jul 31, 2022

Isn't the OpenSSL detailed error displayed as a debug log?

"debug log" is for developers. I think it is easier for a user to try to interpret, for example, the message "ee key too small" that enable debug log.
Consider that with the introduction of openssl version 1.1.1 several packages have become buggy.
"dh key too small", "ee key too small", "ca md too weak" caused by the SECLEVEL 2 setting the security level to 112 bit.
RSA and DHE keys need to be at least 2048 bit long but still today many keys (for example those in the smartcards used to authenticate) are 1024 bit long.

@bagder
Copy link
Member

bagder commented Jul 31, 2022

to: curl: (58) unable to set client certificate [error:0A00018F:SSL routines::ee key too small]

That's a horribly user hostile way to phrase the error, but I can't really think of how it can be improved easily... ☹️

@bagder bagder added the TLS label Jul 31, 2022
@dfandrich
Copy link
Collaborator

dfandrich commented Jul 31, 2022

@opensignature
Copy link
Contributor Author

opensignature commented Aug 1, 2022

Debug log is for anyone who needs more information about an error than is displayed in the error messages

ok, sorry, maybe I don't know curl very well but which debug log are you referring?

"This curl uses a libcurl built with Debug. This enables more error-tracking
and memory debugging etc. For curl-developers only!"

.IP "Debug"

@dfandrich
Copy link
Collaborator

dfandrich commented Aug 1, 2022

@opensignature
Copy link
Contributor Author

opensignature commented Aug 1, 2022

It's also called the verbose log. It's the one you get with the -v option on the command-line or the CURLOPT_DEBUGFUNCTION in libcurl.

With the -v option curl shows "unable to set client certificate" only.
For this reason I proposed PR.
in https://github.com/curl/curl/blob/9153ba708be87ed6e7c25e1b4864f86fadeb95ad/lib/vtls/openssl.c
there are 106 calls to failf, of these only about twenty integrate the error with the message of the openssl library

@bagder
Copy link
Member

bagder commented Aug 8, 2022

thanks!

@bagder bagder closed this in dc8c859 Aug 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants