Closed
Description
The problem situation
Attempting to use curl (for testing purposes) on OSX.
When connecting to the (internal development) HTTPS server, curl complains the PKCS#12 file needs a password. Which is bizarre, as there is no password set on the file. 😉
$ curl -v --cert ./cert.pfx https://dev2.dbhub.io:5550/foo
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL The certificate "./cert.pfx" requires a password.
* Closing connection 0
curl: (58) SSL The certificate "./cert.pfx" requires a password.
Is there a way to specify "empty password", so that it works? I've tried a few obvious variations, and no joy so far:
$ curl -v --cert ./cert.pfx https://dev2.dbhub.io:5550/foo:
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL The certificate "./cert.pfx" requires a password.
* Closing connection 0
curl: (58) SSL The certificate "./cert.pfx" requires a password.
$ curl -v --cert ./cert.pfx https://dev2.dbhub.io:5550/foo:''
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL The certificate "./cert.pfx" requires a password.
* Closing connection 0
curl: (58) SSL The certificate "./cert.pfx" requires a password.
$ curl -v --cert ./cert.pfx https://dev2.dbhub.io:5550/foo:""
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL The certificate "./cert.pfx" requires a password.
* Closing connection 0
curl: (58) SSL The certificate "./cert.pfx" requires a password.
$ curl -v --cert ./cert.pfx https://dev2.dbhub.io:5550/foo:\"\"
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL The certificate "./cert.pfx" requires a password.
* Closing connection 0
curl: (58) SSL The certificate "./cert.pfx" requires a password.
I expected the following
Successful connection to the remote server.
If I manually add a password to the PKCS file using openssl, then it works. eg adding :password to the end of the file argument. The trouble I'm hitting is only where there's no password set in the file.
$ curl -v --cert ./cert.pfx:password https://dev2.dbhub.io:5550/foo
* Trying 127.0.0.1...
* Connected to dev2.dbhub.io (127.0.0.1) port 5550 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* Client certificate: dev2.dbhub.io
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: dev2.dbhub.io
* Server certificate: DBHub.io DEVELOPMENT Intermediate CA
* Server certificate: DBHub.io DEVELOPMENT Root CA
> GET /foo HTTP/1.1
> Host: dev2.dbhub.io:5550
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 04 Mar 2017 19:37:58 GMT
< Content-Length: 929
< Content-Type: text/plain; charset=utf-8
<
[...]
curl/libcurl version
Using curl installed through Homebrew. eg it's using "Secure"Transport
$ curl -V
curl 7.53.1 (x86_64-apple-darwin15.6.0) libcurl/7.53.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets
The problem also shows up when using the system curl provided by OSX:
$ /usr/bin/curl -V
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets
operating system
OSX 10.11.6