OpenSSL outputs entire CA bundle with libcurl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL outputs entire CA bundle with libcurl

Andrew Gale
Hello all,

First, some config info:
OpenSSL v1.0.1t

PLATFORM=arm-linux-
OPTIONS=enable-tls enable-threads enable-shared --cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-static-engine
CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local
SHLIB_TARGET=linux-shared​


When making a request every certificate in the cacert.pem bundle is output before the response (without the BEGIN/END):

<<< Make request >>>
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
<<< All other certs follow >>>
> POST /ftd/inform HTTP/1.1
Host: <retracted>
Authorization: Basic <retracted>
Accept: */*
Content-Type: application/json
Content-Length: 267

< HTTP/1.1 200 OK
< Server: openresty
< Date: Thu, 26 Oct 2017 18:39:48 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache, no-store
< x-trace-id: 70110f353234-275b-0000000000013e4b
<
334 bytes retrieved


Daniel of cURL believes this is an issue with the OpenSSL lib since it's the only component involved that actually
knows of the entire CA cert bundle. libcurl lets the SSL library deal with it and never gets to know the entire thing.

Does anyone know what could be causing the CA bundle to get spewed out every time a request is made?
I received this library with the config already set so I'm not exactly sure if this is caused by one of those options.
(and this does not occur when making the same request with the curl command from my host machine)

Thanks for your time,
Andy Gale
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL outputs entire CA bundle with libcurl

Jakob Bohm-7
On 27/10/2017 00:47, Andrew Gale wrote:

> Hello all,
>
> First, some config info:
> OpenSSL v1.0.1t
>
> PLATFORM=arm-linux-
> OPTIONS=enable-tls enable-threads enable-shared --cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-static-engine
> CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local
> SHLIB_TARGET=linux-shared​
>
>
> When making a request every certificate in the cacert.pem bundle is output before the response (without the BEGIN/END):
>
> <<< Make request >>>
> MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
> GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
> b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
> BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
> VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
> DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
> THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
> Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
> c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
> gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
> HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
> AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
> Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
> j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
> hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
> X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
> <<< All other certs follow >>>
>> POST /ftd/inform HTTP/1.1
> Host: <retracted>
> Authorization: Basic <retracted>
> Accept: */*
> Content-Type: application/json
> Content-Length: 267
>
> < HTTP/1.1 200 OK
> < Server: openresty
> < Date: Thu, 26 Oct 2017 18:39:48 GMT
> < Content-Type: application/json;charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Cache-Control: no-cache, no-store
> < x-trace-id: 70110f353234-275b-0000000000013e4b
> <
> 334 bytes retrieved
>
>
> Daniel of cURL believes this is an issue with the OpenSSL lib since it's the only component involved that actually
> knows of the entire CA cert bundle. libcurl lets the SSL library deal with it and never gets to know the entire thing.
>
> Does anyone know what could be causing the CA bundle to get spewed out every time a request is made?
> I received this library with the config already set so I'm not exactly sure if this is caused by one of those options.
> (and this does not occur when making the same request with the curl command from my host machine)
>
Please clarify:

- Is it being output to the network or to the terminal window where
  curl is used?

- Is it being output as shown (Base64 text with ending "=" signs and
  a newline after each cert) or is it being output in another form
  that you just describe that way?


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL outputs entire CA bundle with libcurl

Andrew Gale
Jakob,

My responses inline <AG>:


- Is it being output to the network or to the terminal window where
  curl is used?
 
<AG> The output occurs in the terminal window when the program is run.

- Is it being output as shown (Base64 text with ending "=" signs and
  a newline after each cert) or is it being output in another form
  that you just describe that way?
 
<AG> It is output as shown. Base64 text ending in "=" signs, newline after
            each cert, but with no "BEGIN / END CERTIFICATE"


Thanks,
Andy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL outputs entire CA bundle with libcurl

Jakob Bohm-7
On 27/10/2017 19:11, Andrew Gale wrote:

> Jakob,
>
> My responses inline <AG>:
>
>
> - Is it being output to the network or to the terminal window where
>    curl is used?
>    
> <AG> The output occurs in the terminal window when the program is run.
>
> - Is it being output as shown (Base64 text with ending "=" signs and
>    a newline after each cert) or is it being output in another form
>    that you just describe that way?
>    
> <AG> It is output as shown. Base64 text ending in "=" signs, newline after
>              each cert, but with no "BEGIN / END CERTIFICATE"
>
In that case, it looks like it is debug output.  Did you by any chance
configure or run curl with options to print lots of debug traces?

Perhaps such an option is causing something to print each trusted CA cert
as it is loaded into memory or checked.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users