[Solved] SSL change in 1.4.78 that clashes with curl
Added by HenrikHolst 5 days ago
Not entirely sure yet what the change is that triggers this but after switching to 1.4.78 curl suddenly can no longer check the validity of the certificate:
henrik@kobol:~$ curl https://example.com -v
* Host example.com:443 was resolved.
* IPv6: xxxx:8b1:8c3c:3:5
* IPv4: xxx.63..231.101
* Trying xxx.63.231.101:443...
* Connected to example.com (xxx.63.231.101) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Meanwhile both Firefox and Chrome browses the site fully well using TLS so this is something strange that only seams to affect curl...
lighttp.config is setup like this for TLS:
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.pem"
}
where server.pem is both the private key and the certificate while the ca-bundle file is the certificate chain for the TLS cert.
Replies (5)
RE: SSL change in 1.4.78 that clashes with curl - Added by gstrauss 5 days ago
Are you using lighttpd mod_openssl? If you can, please test with the patch commit cd4460f6
A mixture of ECDSA and RSA certs caused certificate selection issues with openssl. Perhaps the patch also addresses your issue.
RE: SSL change in 1.4.78 that clashes with curl - Added by HenrikHolst 5 days ago
could it perhaps be that 1.4.78 no longer sends the entire bundle from ssl.ca-file? That might explain by it works in Firefox and Chrome since they probably have far more CA:s in their repo than what base curl have.
RE: SSL change in 1.4.78 that clashes with curl - Added by HenrikHolst 5 days ago
gstrauss wrote in RE: SSL change in 1.4.78 that clashes with curl:
Are you using lighttpd mod_openssl? If you can, please test with the patch commit cd4460f6
A mixture of ECDSA and RSA certs caused certificate selection issues with openssl. Perhaps the patch also addresses your issue.
yes that solved it, huge thanks!
RE: SSL change in 1.4.78 that clashes with curl - Added by gstrauss 5 days ago
could it perhaps be that 1.4.78 no longer sends the entire bundle from ssl.ca-file? That might explain by it works in Firefox and Chrome since they probably have far more CA:s in their repo than what base curl have.
That behavior was not a changed in lighttpd 1.4.78; that behavior changed with lighttpd 1.4.56 (released in Nov 2020) when lighttpd mod_openssl was rewritten to use openssl 1.0.2 and later interfaces.
You should avoid using the misfeature of openssl to overload and reuse the CA file for client certificate verification to, separately, build the certificate chain for the server certificate.
ssl.ca-file is deprecated and has been replaced by ssl.verifyclient.ca-file
Leave ssl.verifyclient.ca-file for verifying client certificates.
Please provide the entire intermediate certificate chain for the server certificate in ssl.pemfile.
RE: SSL change in 1.4.78 that clashes with curl - Added by gstrauss 5 days ago
yes that solved it, huge thanks!
Great! Thank you for reporting this and for testing.
lighttpd 1.4.79 with the above patch will be released today or tomorrow.