Re: Does cURL accept a CA that is not self signed?

Thu, 28 Nov 2019 18:12:16 -0800 

On Thu, Nov 28, 2019 at 4:58 PM Daniel Stenberg <[email protected]> wrote:
>
> On Thu, 28 Nov 2019, Jeffrey Walton via curl-library wrote:
>
> > I'm having trouble connecting to a server that uses Let's Encrypt.
>
> With a huuuge portion of the web now using Let's Encrypt certs, I would've
> expected more people to report problems if that would be the case.

Are folks using the Let's Encrypt X3 ca certificate, or the CA Zoo
with 137 ca's?

If it is the CA Zoo, then folks have exponentially increased their
attack surface. I still remember Diginotar [0,1], and more recently
companies like Symantec issuing certificates for domains they had no
administrative or relationship with or operational control over [2].

> I presume you use a recent curl with OpenSSL?

cURL and OpenSSL are provided by Fedora 31.

$ openssl version
OpenSSL 1.1.1d FIPS  10 Sep 2019

$ curl --version
curl 7.66.0 (x86_64-redhat-linux-gnu) libcurl/7.66.0 OpenSSL/1.1.1d-fips ...

> I don't quite understand your remark on needing X509_V_FLAG_PARTIAL_CHAIN. Are
> you not using a full "chain" ?

No. I'm only using the Let's Encrypt X3 ca certificate. I only use the
CA needed for the end entity certificate at hand.

I don't want the CA Zoo. I [almost] never use it.

I attached the reproducer (for me).

[0] 
http://productforums.google.com/forum/#!category-topic/gmail/share-and-discuss-with-others/3J3r2JqFNTw
[1] Pastebin with the bad cert from Diginotar: https://pastebin.com/ff7Yg663
[2] 
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Sadly, the post from the kid from Iran who blew the lid off Diginotar
is no longer available at [0]. The Google Webmaster deleted his post
(what a fucking idiot, given the historical significance). I have a
copy on it in my inbox. I emailed the text of the post and URL to
myself before the geniuses at Google deleted it.

-----

Here's some output using CURLOPT_VERBOSE.

$ ./test.exe
*   Trying 172.16.2.1:443...
* TCP_NODELAY set
* Connected to example.com (172.16.2.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./letsencrypt-ca.pem
  CApath: none
* SSL certificate problem: unable to get issuer certificate
* Closing connection 0
Error 60, SSL peer certificate or SSH remote key was not OK.

-----

Here's an ldd on the test executable.

$ ldd test.exe
        linux-vdso.so.1 (0x00007ffcee5ef000)
        libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f79aee55000)
        libsqlite3.so.0 => /lib64/libsqlite3.so.0 (0x00007f79aed3b000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f79aed30000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f79aed29000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f79aed07000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f79aeb3e000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f79aeb13000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f79aeaf1000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f79aea81000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f79aea6e000)
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f79ae9d8000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f79ae6f8000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f79ae6a4000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f79ae5b3000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f79ae59a000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f79ae593000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f79ae542000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f79ae531000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f79ae520000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f79ae506000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f79ae3c0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f79aef01000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f79ae23c000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f79ae22a000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f79ae221000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f79ae208000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f79ae1e8000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f79ae1c5000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f79ae198000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f79ae15b000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f79ae0cd000)

#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <curl/curl.h>

const char ca[] = "./letsencrypt-ca.pem";
const char url[] = "https://openssl.org/news/secadv/20190910.txt";;
const char of[PATH_MAX] = "./fetch.txt";

/*  gcc -Wall test.c -o test.exe -lcurl -ldl */)
int main (int argc, char* argv[])
{
    int ret = EXIT_FAILURE;
    FILE *fp = NULL;
    CURL *curl = NULL;
    CURLcode res;

    fp = fopen(of, "wb");
    if (fp == NULL)
    {
        printf("Failed to open %s\n", of);
        goto finish;
    }

    curl = curl_easy_init();
    if (curl == NULL)
    {
        printf("Failed to initialize cURL\n");
        goto finish;
    }

    res = curl_easy_setopt (curl, CURLOPT_URL, url);
    if (res != CURLE_OK)
    {
        printf("Failed to set CURLOPT_URL\n");
        goto finish;
    }

    res = curl_easy_setopt (curl, CURLOPT_CAINFO, ca);
    if (res != CURLE_OK)
    {
        printf("Failed to set CURLOPT_CAINFO\n");
        goto finish;
    }

    res = curl_easy_setopt (curl, CURLOPT_WRITEDATA, fp);
    if (res != CURLE_OK)
    {
        printf("Failed to set CURLOPT_WRITEDATA\n");
        goto finish;
    }

    res = curl_easy_perform(curl);
    if (res != CURLE_OK)
    {
        printf("Failed to download file, error %d, %s.\n",
            res, curl_easy_strerror(res));
        goto finish;
    }

    ret = EXIT_SUCCESS;

finish:

    if (fp)
        fclose(fp);

    if (curl)
        curl_easy_cleanup(curl);

    return ret;
}

#if 0
// This is letsencrypt-ca.pem
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
#endif
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to