Skip to content
This repository has been archived by the owner on Jun 6, 2023. It is now read-only.

curlimages/curl:8.1.0 fails to load a p12 certificate that 8.00.1 could #81

Open
roobre opened this issue May 17, 2023 · 5 comments
Open

curlimages/curl:8.1.0 fails to load a p12 certificate that 8.00.1 could #81

roobre opened this issue May 17, 2023 · 5 comments

Comments

@roobre
Copy link

roobre commented May 17, 2023
edited

I've just noticed that an upgrade from 8.00.1 to 8.1.0 has caused a curl command to fail to load a p12 certificate. The error returned is not very verbose:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0
      0 --:--:-- --:--:-- --:--:--     0*   Trying 88.99.146.130:443...
* Connected to pdns.roobre.es (88.99.146.130) port 443 (#0)
* ALPN: offers h2,http/1.1
* could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported

The command triggering this is:

curl -SvX PATCH -H "Content-Type: text/json" -d "something something" -H "X-API-Key: $API_KEY" "https://pdns.roobre.es/api/v1/servers/localhost/zones/$zone" -E "/roobre-k8s.p12:$CERT_PASS" --cert-type P12

$CERT_PASS contains the correct password for /roobre-k8s.p12, and the same command works on curlimages/curl:8.00.1.

I should be able to provide some more info if needed :)
@roobre roobre changed the title curlimages/curl:8.1.0 fails to load an encrypted p12 certificate that 8.00.1 could curlimages/curl:8.1.0 fails to load a p12 certificate that 8.00.1 could May 17, 2023
@xquery
Copy link
Member

xquery commented May 17, 2023

At first glance, I do not think there is anything container related here ... eg. probably best to verify if plain ole curl 8.1.0 (albeit with the same build flags/deps) reproduces this error eg. this might just be a curl error. Will investigate if I have the time.

@roobre
Copy link
Author

roobre commented May 18, 2023
edited

Hey @xquery,

It seems that you are right, I can reproduce a similar issue with plain old curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10.0 nghttp2/1.52.0.

Which is pretty weird, because this container worked 24 hours ago without me changing absolutely nothing. I will dig further to see if this is related to curl or not 😕

@xquery
Copy link
Member

xquery commented May 18, 2023

we just made a new release ... curl/curl#11129 may fix it .. we plan a patch release of curl and will also release container

@bagder
Copy link
Member

bagder commented May 18, 2023

I don't think this is the 11129 bug, because @roobre says it reproduces in 8.0.1 and it does not seem related to the URL...

@roobre
Copy link
Author

roobre commented Jun 4, 2023

I think I've been able to nail down the issue here. The p12 certificate in question uses RC2-40-CBC, which is considered a legacy cipher by OpenSSL. Curl was fine using this cert before, but the new image refuses to do so. Not sure if it could be a change of the build environment or a code change in curl itself.

That being said, it would seem that RC2-40-CBC is a poor choice for a cipher so probably curl is right refusing to load it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @xquery @roobre