Project

General

Profile

Issue #2570

libcurl http request failed: SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161)

Added by Mike Fry about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libstrongswan
Affected version:
5.1.3
Resolution:
No change required

Description

In debugging this error, I setup Curl to fetch via https by setting the environment variable CURL_CA_BUNDLE and pointing it to the bundle file. I was thinking that curl is called from ipsec scepclient but I guess I was wrong. Here is my command.

ipsec scepclient --url http://${SCEPSERVER}/CertSrv/mscep/mscep.dll \
-k 2048 -f -p ${CHALLENGE} \
--dn "C=${COUNTRY}, S=${STATE}, L=${LOCALITY}, O=${ORGANIZATION}, OU=${ORGANIZATIONALUNIT}, CN=${HOSTNAME}" \
--subjectAltName dns=${HOSTNAME} \
--subjectAltName email=${email} \
--in pkcs1=myKey.der \
--out cert=myCert.der \
--in cacert-enc=caCert-ra-1.der \
--in cacert-sig=caCert-ra-2.der \
--debug 4


Related issues

Related to Bug #692: Curl fails to fetch HTTPS CRL URL Closed28.08.2014

History

#1 Updated by Mike Fry about 4 years ago

Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-116-generic, x86_64):
uptime: 20 hours, since Feb 27 14:15:29 2018
malloc: sbrk 2977792, mmap 532480, used 721808, free 2255984
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors curl soup unbound ldap mysql sqlite pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
10.57.172.246
Connections:
Security Associations (0 up, 0 connecting):
none

#2 Updated by Tobias Brunner about 4 years ago

  • Status changed from New to Feedback

I was thinking that curl is called from ipsec scepclient but I guess I was wrong.

You are, the curl plugin links libcurl directly there is no call to curl. And the curl plugin currently does not set CURLOPT_CAPATH or CURLOPT_CAINFO. So which certificate store is used depends on how libcurl was compiled, the platform, and perhaps even on how the underlying TLS library was built (see option 3 here).

#3 Updated by Mike Fry about 4 years ago

Tobias Brunner wrote:

I was thinking that curl is called from ipsec scepclient but I guess I was wrong.

You are, the curl plugin links libcurl directly there is no call to curl. And the curl plugin currently does not set CURLOPT_CAPATH or CURLOPT_CAINFO. So which certificate store is used depends on how libcurl was compiled, the platform, and perhaps even on how the underlying TLS library was built (see option 3 here).

Here is how I am installing Strongswan.

apt-get install libc6 debconf build-essential libgmp-dev libunbound-dev \
libldns-dev libldns-dev libcurl4-openssl-dev strongswan \
strongswan-starter strongswan-plugin-* libcurl4-openssl-dev \
network-manager-strongswan libunbound-dev -y -q -f -m

I am not compiling as I will push this script out to 500+ devices with various kernel versions.

#4 Updated by Tobias Brunner about 4 years ago

Here is how I am installing Strongswan.

apt-get install libc6 debconf build-essential libgmp-dev libunbound-dev \
libldns-dev libldns-dev libcurl4-openssl-dev strongswan \
strongswan-starter strongswan-plugin-* libcurl4-openssl-dev \
network-manager-strongswan libunbound-dev -y -q -f -m

I am not compiling as I will push this script out to 500+ devices with various kernel versions.

What are you trying to say with this?

#5 Updated by Mike Fry about 4 years ago

Tobias Brunner wrote:

What are you trying to say with this?

I believe the method you were referring to in your reply was to download the tarball, extract run ./configure with options then make and install.

What I am saying is that, I am install Strongswan from the Ubuntu repo via apt-get.

#6 Updated by Mike Fry about 4 years ago

From syslog:

opening file /var/log/charon_debug.log for logging failed: Permission denied
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-116-generic, x86_64)
Feb 28 11:29:33 USMCDLNCN6CSL9H kernel: [ 425.708620] audit: type=1400 audit(1519835373.871:53): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=2599 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Feb 28 11:29:33 USMCDLNCN6CSL9H kernel: [ 425.723049] NET: Registered protocol family 38
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[DMN] agent plugin requires CAP_DAC_OVERRIDE capability
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[LIB] plugin 'agent': failed to load - agent_plugin_create returned NULL
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[CFG] disabling load-tester plugin, not configured
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[DMN] xauth-pam plugin requires CAP_AUDIT_WRITE capability
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[LIB] plugin 'xauth-pam': failed to load - xauth_pam_plugin_create returned NULL
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[CFG] dnscert plugin is disabled
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[CFG] ipseckey plugin is disabled
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[CFG] attr-sql plugin: database URI not set
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Not sure why the charon_debug.log can't be written to.

#7 Updated by Tobias Brunner about 4 years ago

What are you trying to say with this?

I believe the method you were referring to in your reply was to download the tarball, extract run ./configure with options then make and install.

No, nothing like that. That wouldn't really help you anyway. I mentioned that the location where libcurl looks for CA certificates depends how libcurl or any of its dependencies are compiled. You basically have to find out where libcurl looks for CA certificates and install your custom CA certificate there (or get a server certificate from an already trusted CA).

opening file /var/log/charon_debug.log for logging failed: Permission denied
Feb 28 11:29:33 USMCDLNCN6CSL9H charon-custom: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-116-generic, x86_64)
Feb 28 11:29:33 USMCDLNCN6CSL9H kernel: [ 425.708620] audit: type=1400 audit(1519835373.871:53): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=2599 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

Not sure why the charon_debug.log can't be written to.

The log tells you exactly why: AppArmor.

#8 Updated by Mike Fry about 4 years ago

Tobias Brunner wrote:

You basically have to find out where libcurl looks for CA certificates and install your custom CA certificate there (or get a server certificate from an already trusted CA).

I see /etc/strongswan.d/charon/curl.conf but can't find an example the parameters that would go in there.

#9 Updated by Tobias Brunner about 4 years ago

You basically have to find out where libcurl looks for CA certificates and install your custom CA certificate there (or get a server certificate from an already trusted CA).

I see /etc/strongswan.d/charon/curl.conf but can't find an example the parameters that would go in there.

This has nothing to do with strongSwan, so this file is not relevant at all. This is only related to libcurl (a third-party library) and how it was built on your system, i.e. from where it loads the CA certificates (and it obviously also depends on the CA that signed your server certificate, because if it was signed by an already trusted CA you wouldn't have to do anything).

#10 Updated by Mike Fry about 4 years ago

Tobias Brunner wrote:

You basically have to find out where libcurl looks for CA certificates and install your custom CA certificate there (or get a server certificate from an already trusted CA).

I see /etc/strongswan.d/charon/curl.conf but can't find an example the parameters that would go in there.

This has nothing to do with strongSwan, so this file is not relevant at all. This is only related to libcurl (a third-party library) and how it was built on your system, i.e. from where it loads the CA certificates (and it obviously also depends on the CA that signed your server certificate, because if it was signed by an already trusted CA you wouldn't have to do anything).

Here I am building libcurl/curl 7.58.0 with SSL enabled.

Configure: Configured to build curl/libcurl:

curl version:     7.58.0
Host setup: x86_64-unknown-linux-gnu
Install prefix: /usr/local
Compiler: gcc
SSL support: enabled (OpenSSL)
SSH support: no (--with-libssh2)
zlib support: enabled
brotli support: no (--with-brotli)
GSS-API support: no (--with-gssapi)
TLS-SRP support: enabled
resolver: POSIX threaded
IPv6 support: enabled
Unix sockets support: enabled
IDN support: no (--with-{libidn2,winidn})
Build libcurl: Shared=yes, Static=yes
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
SSPI support: no (--enable-sspi)
ca cert bundle: /etc/ssl/certs/ca-certificates.crt
ca cert path: no
ca fallback: no
LDAP support: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)
LDAPS support: no (--enable-ldaps)
RTSP support: enabled
RTMP support: no (--with-librtmp)
metalink support: no (--with-libmetalink)
PSL support: no (libpsl not found)
HTTP2 support: disabled (--with-nghttp2)
Protocols: DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP

Same error.

#11 Updated by Mike Fry about 4 years ago

curl -V
curl 7.58.0 (x86_64-unknown-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

#12 Updated by Tobias Brunner about 4 years ago

  • Affected version changed from 5.6.2 to 5.1.3

I was concentrating too much on your claim that there is a problem with the CA certificate that I never actually checked the actual error code.

The problem seems to be that OpenSSL is not properly initialized. You apparently use an old version of strongSwan (5.1.3), which didn't call curl_global_init() with CURL_GLOBAL_SSL, so OpenSSL is not initialized properly (was fixed with 85c95db17a that was included in 5.2.1). Interestingly, that parameter has now been removed again (with 7.57.0) so that old strongSwan version might actually work with libcurl >= 7.57 again (which initializes the SSL/TLS backend automatically). But if you build libcurl from sources you have to make sure to actually link the curl plugin against it and not any other version found on your system.

#13 Updated by Tobias Brunner about 4 years ago

  • Related to Bug #692: Curl fails to fetch HTTPS CRL URL added

#14 Updated by Tobias Brunner about 4 years ago

  • Category set to libstrongswan
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF