#790750 [curl] HTTPS client certificates don't work anymore

Package:
curl
Source:
curl
Description:
command line tool for transferring data with URL syntax
Submitter:
Franz Schrober
Date:
2025-08-07 10:03:02 UTC
Severity:
normal
Tags:
#790750#5
Date:
2015-07-01 13:17:10 UTC
From:
To:
sid seems to be changed from curl-openssl to curl-gnutls. As result client certificates don't work anymore. The client cert packet just contains 0 certificates when 1 certificate is expected. It worked fine with curl-openssl.

I only get HTTP 403 when the apache is configured to require client certificates.

    (asd.crt is pem certificate and asd.key is the key)
    curl -v --cert asd.crt --key asd.key --cacert manymanymany_certificates.crt https://example.org/resource

The url could be something like https://auth.startssl.com/

And the client certificate packet looks like:


    Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 7
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3
            Certificates Length: 0



But it should look like (seen with old curl-openssl)

    Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4364
        Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
            Length: 4360
            Certificates Length: 4357
            Certificates (4357 bytes)
Debian Release: stretch/sid
500 unstable        httpredir.debian.org
--- Package information. ---
Depends         (Version) | Installed
=========================-+-=============
libc6           (>= 2.17) |
libcurl3     (= 7.37.1-1) |
zlib1g       (>= 1:1.1.4) |


Package's Recommends field is empty.

Package's Suggests field is empty.

#790750#10
Date:
2015-07-01 13:49:43 UTC
From:
To:
The relevant usage information of the client cert are:

|	|	subjectPublicKeyInfo
|	|	|	algorithm (rsaEncryption)
|	|	|	|	Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
|	|	|	Padding: 0
|	|	|	subjectPublicKey: ...
|	|	extensions: 4 items
|	|	|	Extension (id-ce-cRLDistributionPoints)
|	|	|	|	Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
|	|	|	|	CRLDistPointsSyntax: 1 item
|	|	|	Extension (id-ce-basicConstraints)
|	|	|	|	Extension Id: 2.5.29.19 (id-ce-basicConstraints)
|	|	|	|	BasicConstraintsSyntax [0 length]
|	|	|	Extension (id-ce-keyUsage)
|	|	|	|	Extension Id: 2.5.29.15 (id-ce-keyUsage)
|	|	|	|	Padding: 5
|	|	|	|	KeyUsage: e0 (digitalSignature, contentCommitment, keyEncipherment)
|	|	|	|	|	1... .... = digitalSignature: True
|	|	|	|	|	.1.. .... = contentCommitment: True
|	|	|	|	|	..1. .... = keyEncipherment: True
|	|	|	|	|	...0 .... = dataEncipherment: False
|	|	|	|	|	.... 0... = keyAgreement: False
|	|	|	|	|	.... .0.. = keyCertSign: False
|	|	|	|	|	.... ..0. = cRLSign: False
|	|	|	|	|	.... ...0 = encipherOnly: False
|	|	|	|	|	0... .... = decipherOnly: False
|	|	|	Extension (id-ce-extKeyUsage)
|	|	|	|	Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
|	|	|	|	KeyPurposeIDs: 1 item
|	|	|	|	|	KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
|	algorithmIdentifier (shaWithRSAEncryption)



I've also tested a key from startssl. Here it seems to work to submit the key. The relevant parts are

|	|	|	|	|	|	subjectPublicKeyInfo
|	|	|	|	|	|	|	algorithm (rsaEncryption)
|	|	|	|	|	|	|	|	Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
|	|	|	|	|	|	|	Padding: 0
|	|	|	|	|	|	|	subjectPublicKey: ...
|	|	|	|	|	|	extensions: 10 items
|	|	|	|	|	|	|	Extension (id-ce-basicConstraints)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.19 (id-ce-basicConstraints)
|	|	|	|	|	|	|	|	BasicConstraintsSyntax [0 length]
|	|	|	|	|	|	|	Extension (id-ce-keyUsage)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.15 (id-ce-keyUsage)
|	|	|	|	|	|	|	|	Padding: 4
|	|	|	|	|	|	|	|	KeyUsage: b0 (digitalSignature, keyEncipherment, dataEncipherment)
|	|	|	|	|	|	|	|	|	1... .... = digitalSignature: True
|	|	|	|	|	|	|	|	|	.0.. .... = contentCommitment: False
|	|	|	|	|	|	|	|	|	..1. .... = keyEncipherment: True
|	|	|	|	|	|	|	|	|	...1 .... = dataEncipherment: True
|	|	|	|	|	|	|	|	|	.... 0... = keyAgreement: False
|	|	|	|	|	|	|	|	|	.... .0.. = keyCertSign: False
|	|	|	|	|	|	|	|	|	.... ..0. = cRLSign: False
|	|	|	|	|	|	|	|	|	.... ...0 = encipherOnly: False
|	|	|	|	|	|	|	|	|	0... .... = decipherOnly: False
|	|	|	|	|	|	|	Extension (id-ce-extKeyUsage)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
|	|	|	|	|	|	|	|	KeyPurposeIDs: 2 items
|	|	|	|	|	|	|	|	|	KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
|	|	|	|	|	|	|	|	|	KeyPurposeId: 1.3.6.1.5.5.7.3.4 (id-kp-emailProtection)
|	|	|	|	|	|	|	Extension (id-ce-subjectKeyIdentifier)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
|	|	|	|	|	|	|	|	SubjectKeyIdentifier: bb5a39bb699ba8db7a1732e4c31342d2eb43ec0b
|	|	|	|	|	|	|	Extension (id-ce-authorityKeyIdentifier)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
|	|	|	|	|	|	|	|	AuthorityKeyIdentifier
|	|	|	|	|	|	|	Extension (id-ce-subjectAltName)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.17 (id-ce-subjectAltName)
|	|	|	|	|	|	|	|	GeneralNames: 1 item
|	|	|	|	|	|	|	Extension (id-ce-certificatePolicies)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
|	|	|	|	|	|	|	|	CertificatePoliciesSyntax: 1 item
|	|	|	|	|	|	|	Extension (id-ce-cRLDistributionPoints)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
|	|	|	|	|	|	|	|	CRLDistPointsSyntax: 1 item
|	|	|	|	|	|	|	Extension (id-pe-authorityInfoAccessSyntax)
|	|	|	|	|	|	|	|	Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
|	|	|	|	|	|	|	|	AuthorityInfoAccessSyntax: 2 items
|	|	|	|	|	|	|	Extension (id-ce-issuerAltName)
|	|	|	|	|	|	|	|	Extension Id: 2.5.29.18 (id-ce-issuerAltName)
|	|	|	|	|	|	|	|	GeneralNames: 1 item
|	|	|	|	|	algorithmIdentifier (sha256WithRSAEncryption)
|	|	|	|	|	|	Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
|	|	|	|	|	Padding: 0


What comes to my eyes are that startssl disables
contentCommitment and enables
dataEncipherment. They also have extra purposes:
id-kp-emailProtection

But these should not be relevant for client certificates when using HTTPS.

#790750#15
Date:
2015-07-01 14:14:33 UTC
From:
To:
Here is an example how you create some dummy certificates which should work but are not working with curl-gnutls (but with curl-openssl)

openssl req \
 -new \
 -newkey rsa:4096 \
 -days 365 \
 -nodes \
 -x509 \
 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
 -keyout client.key \
 -out client.crt
curl -v --cert client.crt --key client.key https://auth.startssl.com/

#790750#20
Date:
2015-07-31 13:22:13 UTC
From:
To:
Hi Franz,

sorry for the delay, I seem to have missed the report when you submitted it...

I can't reproduce this. I tried using "openssl s_server" with the -verify
option and the client certificate is sent correctly AFAICT. Could you try this
as well and post what s_server says?

Cheers

#790750#27
Date:
2019-07-29 07:28:43 UTC
From:
To:
Das sollte sich jeder anschauen! www.taycerares1970.blogspot.am
#790750#32
Date:
2020-09-15 11:13:07 UTC
From:
To:
📢 Mein letztes Hallo liegt schon Tage zurück. Ich hoffe, dir geht es gut.
https://bit.ly/3igFSXi



 Franz Schrober

 9/15/2020 4:13:07 AM

#790750#37
Date:
2022-09-15 08:17:13 UTC
From:
To:
Schon ausprobiert? https://bit.ly/3QNHKHn
#790750#42
Date:
2022-10-03 16:49:30 UTC
From:
To:
#790750#47
Date:
2024-07-22 16:14:33 UTC
From:
To:
#790750#52
Date:
2024-07-22 16:14:36 UTC
From:
To:
Hier kommt ein lieber Gruß von mir. Ich hoffe. bei dir ist alles ok.
#790750#57
Date:
2025-08-07 10:00:40 UTC
From:
To:
Was machst du so? 790750