On 21/03/2011 20:20, Ben Noordhuis wrote:
On Mon, Mar 21, 2011 at 17:07, plot.lost<[email protected]> wrote:
I am trying to connect to a systems (https) that requires client
certificates, using the curl_easy interface.
I think I've set the required options (CURLOPT_SSLCERT and CURLOPT_SSLKEY)
but the connection gets rejected.
According to the system I am connecting to, it's because the client
certificate "does not have the chaining setup. The Root and CA should be
trusted"
Now, I thought that the server held these and uses them to verify the client
certificate. If that is not the case, does anyone have any clues as to what
I need to do? I've tried adding the CA and Root certificates into the same
file that holds the client certificate, that made no difference. Is there an
additional curl_easy_setopt that needs to be done to add this "chaining
setup"?
I can confirm that the client certificate has been signed by the correct CA,
but for some reason the system rejects the connection and this is the reason
they give.
You can point libcurl to the CA or CAs with CURLOPT_CAINFO and
CURLOPT_CAPATH. The first option takes a filename, the second one the
name of a directory containing certificates (e.g. "/etc/ssl/certs/").
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
I thought the CURLOPT_CAINFO / CAPATH was used for specifying
certificates that are used by curl to verify the server certificate, not
anything that are used as part of the client certificate processing.
I've tried building a pkcs12 file that contains the client certificate
and the relevant CA/Root certificates, and then converted that back into
a single PEM file. That gets a PEM file that is different to the usual
method of just sticking the certificates together - there are additional
elements before each certificate (Bag Attributes, subject and issuer)
but that is also rejected by the server.
It's always the same error that comes back - error:14094438:SSL
routines:SSL3_READ_BYTES:tlsv1 alert internal error
All they will tell me is that the client certificate is not setup with
chaining, just keep repeating that as if somehow saying the same thing
over and over again will actually help... Nothing that actually gives
any pointers as to how the client certificate should actually be formatted.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
