Bug#1075747: curl: X.509 client certificates not working with curl/8.8.0-2

Thu, 04 Jul 2024 02:00:18 -0700 

Package: curl
Version: 8.8.0-2
Severity: normal

/usr/bin/curl --cert <cert> --key <key> <url> no longer works with the version
mentioned above. It worked well with the previous version 8.8.0-1. The error
message is:

    curl: (35) error reading X.509 key or certificate file

>From the changelog, this bullet point comes to mind:

    * Switch curl package/binary to use gnutls, now with HTTP3 support

Looking at strace output, curl does read a lot of certs from /etc/ssl/certs/
(not shown) but it not attempt to read the path given with --cert. It reads the
--key file and then does a bogus sendmsg():

> openat(AT_FDCWD, "path_removed.key", O_RDONLY|O_CLOEXEC) = 6
> newfstatat(6, "", {st_mode=S_IFREG|0600, st_size=1854, ...}, AT_EMPTY_PATH) = > 0
> lseek(6, 0, SEEK_CUR) = 0
> read(6, "-----BEGIN ENCRYPTED PRIVATE KEY"..., 1855) = 1854
> read(6, "", 1)   = 0
> close(6)         = 0
> openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 6
> newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=2996, ...}, AT_EMPTY_PATH) = > 0
> read(6, "# Locale name alias data base.\n#"..., 4096) = 2996
> read(6, "", 4096) = 0
> close(6)         = 0
> openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/gnutls30.mo", O_RDONLY) 
> = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/gnutls30.mo", O_RDONLY) = 
> -1 ENOENT (No such file or dir ectory)
> sendmsg(-1, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="\25\3\3\0\2\1\0", iov_len=7}], msg_iovlen=1, 
> msg_controllen=0, msg_flags=0}, 0) = -1 EBADF (Bad file descriptor)
> close(5)         = 0

After that, it prints the error message one character by one and exits. Let me
know if anything else is needed.

Thanks,
Jan



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.12-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages curl depends on:
ii  libc6               2.38-13
ii  libcurl3t64-gnutls  8.8.0-2
ii  zlib1g              1:1.3.dfsg+really1.3.1-1

curl recommends no packages.

curl suggests no packages.

-- no debconf information

Reply via email to