I'd like to connect via TLSv1.2 using cURL to a server which also needs a client certificate for authentication.
Using the command curl -v --cert cert.crt.pem --key cert.key.pem https://target.de:443
, I then obtain the response
* Rebuilt URL to: https://target.de:443/
* TCP_NODELAY set
* Connected to target.de (...) port 443 (#0)
* schannel: SSL/TLS connection with target.de port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 188 bytes...
* schannel: sent initial handshake data: sent 188 bytes
* schannel: SSL/TLS connection with target.de port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with target.de port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with target.de port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4277 length 5120
* schannel: a client certificate has been requested
* schannel: SSL/TLS connection with target.de port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4277 length 5301
* schannel: sending next handshake data: sending 133 bytes...
* schannel: SSL/TLS connection with target.de port 443 (step 2/3)
* schannel: encrypted data buffer: offset 7 length 5301
* schannel: next InitializeSecurityContext failed: SEC_E_CERT_UNKNOWN (0x80090327)
According to the event logging of SCHANNEL, the problem is
The remote server has requested TLS client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This TLS connection request may succeed or fail, depending on the server's policy settings.
A wireshark trace tells me basically a successfull "Client Hello", a "Server Hello" including the certificate of the server together with its issuer and the request for the client certificate. However, in the response, the client certificate seems to be not sent - my reply contains basically no certificates, which then leads to a failure of connection. In the Wireshark dump, I find a list of 6 certificate DNs, one of which matches my certificate. This certificate (also imported to my private key store) is valid for client authentication.
The SCHANNEL log reads that there are 6 issuers (!) given and now the given certificates are checked against those. My certificate seems not to match the issuers, but the subject!?
So I see the list of Acceptable client certificate **CA** names
, but actually that list contains a name, which is my certificates subject line, not its issuer.
Any other ideas?
Remarks:
While the same settings seems to work on another (Linux) machine, I fail to get it working on Windows. Do you have any ideas what might go wrong with the certificates?
I'm not sure, but doing the same using openssl (openssl.exe s_client -connect target.de:443 -CAfile cacert.pem -cert cert.crt.pem -key cert.key.pem
) seems according to Wireshark lead to transmission of the client certificate.
As in the end, I want to go to .NET/C#, I try to understand the reason for failure first.
User contributions licensed under CC BY-SA 3.0