Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl
On 27/10/2017 19:11, Andrew Gale wrote: Jakob, My responses inline : - Is it being output to the network or to the terminal window where curl is used? The output occurs in the terminal window when the program is run. - Is it being output as shown (Base64 text with ending "=" signs and a newline after each cert) or is it being output in another form that you just describe that way? It is output as shown. Base64 text ending in "=" signs, newline after each cert, but with no "BEGIN / END CERTIFICATE" In that case, it looks like it is debug output. Did you by any chance configure or run curl with options to print lots of debug traces? Perhaps such an option is causing something to print each trusted CA cert as it is loaded into memory or checked. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl
Jakob, My responses inline : - Is it being output to the network or to the terminal window where curl is used? The output occurs in the terminal window when the program is run. - Is it being output as shown (Base64 text with ending "=" signs and a newline after each cert) or is it being output in another form that you just describe that way? It is output as shown. Base64 text ending in "=" signs, newline after each cert, but with no "BEGIN / END CERTIFICATE" Thanks, Andy -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl
On 27/10/2017 00:47, Andrew Gale wrote: Hello all, First, some config info: OpenSSL v1.0.1t PLATFORM=arm-linux- OPTIONS=enable-tls enable-threads enable-shared --cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-static-engine CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local SHLIB_TARGET=linux-shared When making a request every certificate in the cacert.pem bundle is output before the response (without the BEGIN/END): <<< Make request >>> MIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== <<< All other certs follow >>> POST /ftd/inform HTTP/1.1 Host: Authorization: Basic Accept: */* Content-Type: application/json Content-Length: 267 < HTTP/1.1 200 OK < Server: openresty < Date: Thu, 26 Oct 2017 18:39:48 GMT < Content-Type: application/json;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Cache-Control: no-cache, no-store < x-trace-id: 70110f353234-275b-00013e4b < 334 bytes retrieved Daniel of cURL believes this is an issue with the OpenSSL lib since it's the only component involved that actually knows of the entire CA cert bundle. libcurl lets the SSL library deal with it and never gets to know the entire thing. Does anyone know what could be causing the CA bundle to get spewed out every time a request is made? I received this library with the config already set so I'm not exactly sure if this is caused by one of those options. (and this does not occur when making the same request with the curl command from my host machine) Please clarify: - Is it being output to the network or to the terminal window where curl is used? - Is it being output as shown (Base64 text with ending "=" signs and a newline after each cert) or is it being output in another form that you just describe that way? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL outputs entire CA bundle with libcurl
Hello all, First, some config info: OpenSSL v1.0.1t PLATFORM=arm-linux- OPTIONS=enable-tls enable-threads enable-shared --cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-static-engine CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local SHLIB_TARGET=linux-shared When making a request every certificate in the cacert.pem bundle is output before the response (without the BEGIN/END): <<< Make request >>> MIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== <<< All other certs follow >>> > POST /ftd/inform HTTP/1.1 Host: Authorization: Basic Accept: */* Content-Type: application/json Content-Length: 267 < HTTP/1.1 200 OK < Server: openresty < Date: Thu, 26 Oct 2017 18:39:48 GMT < Content-Type: application/json;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Cache-Control: no-cache, no-store < x-trace-id: 70110f353234-275b-00013e4b < 334 bytes retrieved Daniel of cURL believes this is an issue with the OpenSSL lib since it's the only component involved that actually knows of the entire CA cert bundle. libcurl lets the SSL library deal with it and never gets to know the entire thing. Does anyone know what could be causing the CA bundle to get spewed out every time a request is made? I received this library with the config already set so I'm not exactly sure if this is caused by one of those options. (and this does not occur when making the same request with the curl command from my host machine) Thanks for your time, Andy Gale -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users