[openssl-users] OpenSSL outputs entire CA bundle with libcurl

Fri Oct 27 12:07:26 UTC 2017

On 27/10/2017 00:47, Andrew Gale wrote:
> Hello all,
>
> First, some config info:
> OpenSSL v1.0.1t
>
> PLATFORM=arm-linux-
> OPTIONS=enable-tls enable-threads enable-shared --cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-static-engine
> CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local
> SHLIB_TARGET=linux-shared
>
>
> When making a request every certificate in the cacert.pem bundle is output before the response (without the BEGIN/END):
>
> <<< Make request >>>
> MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
> GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
> b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
> BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
> VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
> DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
> THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
> Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
> c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
> gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
> HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
> AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
> Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
> j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
> hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
> X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
> <<< All other certs follow >>>
>> POST /ftd/inform HTTP/1.1
> Host: <retracted>
> Authorization: Basic <retracted>
> Accept: */*
> Content-Type: application/json
> Content-Length: 267
>
> < HTTP/1.1 200 OK
> < Server: openresty
> < Date: Thu, 26 Oct 2017 18:39:48 GMT
> < Content-Type: application/json;charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Cache-Control: no-cache, no-store
> < x-trace-id: 70110f353234-275b-0000000000013e4b
> <
> 334 bytes retrieved
>
>
> Daniel of cURL believes this is an issue with the OpenSSL lib since it's the only component involved that actually
> knows of the entire CA cert bundle. libcurl lets the SSL library deal with it and never gets to know the entire thing.
>
> Does anyone know what could be causing the CA bundle to get spewed out every time a request is made?
> I received this library with the config already set so I'm not exactly sure if this is caused by one of those options.
> (and this does not occur when making the same request with the curl command from my host machine)
>
Please clarify:

- Is it being output to the network or to the terminal window where
  curl is used?

- Is it being output as shown (Base64 text with ending "=" signs and
  a newline after each cert) or is it being output in another form
  that you just describe that way?


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded