By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session. Comment 23 David Woodhouse 2015-06-02 10:14:34 EDT (In reply to Kamil Dudka from comment #22) > I am not sure what else could be improved in the curl package. connected 16:45:30.939619 * Connected to
I am moving this bug to the nss component so that nss maintainers can have a look at this. You can find it at http://www.openssl.org/source/ or else Google for "openssl-0.9.8 tar gz". Note the ~1s incurred during the nss init phase, presumably related to fetching the client cert file. No, curl-7.40.0-3.fc22 does not work: ]$ curl -E 'pkcs11\:token=Gnome2%20Key%20Storage;id=%e6%34%78%b5%fd%86%77%ba%b9%86%95%c3%19%02%74%d1%f5%33%9a%97' -I -v https://auth.startssl.com * Rebuilt URL to: https://auth.startssl.com/ * Trying 22.214.171.124... * Connected to auth.startssl.com (126.96.36.199) port 443 (#0) * Initializing NSS
Just like we could have rebuilt it against GnuTLS in May of last year, when this bug was originally filed. Is a food chain without plants plausible? Yes No Do you like the page design?
I think this gives you a different error though...Good LuckDave Gianpaolo Fasoli 2004-07-13 15:44:50 UTC PermalinkRaw Message Post by David StutzmanPost by Gianpaolo FasoliI'm not experiencing this problem with IE and NSS seems quite resistant to getting fixed (for anything, ever, but including this in particular). libcurl overrides the SelectClientCert() hook only for certificates loaded from files (detected by slash occurring in the name). asked 11 months ago viewed 359 times active 10 months ago Related 0Problems with curl in php?4php curl returns 400 Bad Request if does in a loop2How can I use curl
It would be way more disruptive than just applying those patches on NSS. > I'm OK with "let's fix it in NSS", followed by actually applying the patches. > > I'm Nss Error 5961 Comment 28 David Woodhouse 2016-09-26 08:16:23 EDT The NSS patches are there, this is easily fixable for F25. Comment 17 David Woodhouse 2015-05-22 14:32:55 EDT No. mozillahonors the server's list.Post by Jean-Marc DesperrierThis means anyone just has to give you a cert and tell you must use itto authentify to his site in order to have get
If no client certificate from file is given to curl, it uses the default GetClientAuthDataHook handler from NSS. Command line testing with curl: * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) * SSL peer was unable to negotiate an acceptable set of security parameters. * Closing connection 0 curl: (35) SSL peer I believe I updated an old feature matrix w.r.t. Just today I got email > from a student who may be interested in doing it, in fact (which is why I > was looking again).
Error code: -12227"which corresponds to: SSL_ERROR_HANDSHAKE_FAILURE_ALERT(http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)Bravo for finding the web page that documents the error codes!Post by Gianpaolo Fasoli[error] mod_ssl: SSL handshake failed (OpenSSL library error follows)[error] OpenSSL: error:140890C7:SSLroutines:SSL3_GET_CLIENT_CERTIFICATE:peer did not You need to generate suitable security keys (certificates) before you can use SSL. Curl Nss Error -12286 Server certificate is not for server authentication Cause: The server certificate is not eligible for server authentication purposes. I think it has to be sql:/etc/pki/nssdb, since /etc/pki/nssdb means the legacy DB.
The platform "token database" is the one you get > from p11-kit. HTTPS inspection exclusion list—The implications of adding sites to the HTTPS inspection exclusion list. This should provide a clue as to where NSS is failing. openssl and nss implementations of curl?
The server responds withhandshake failure alert.Back to your original question. I believe that libcurl linked against NSS loads certificates from /etc/pki/nssdb and ~/.pki/nssdb by default. How can we write a patch for libcurl then? :-) It sounds like the NSS bug should be looked at first... How long could the sun be turned off without overly damaging planet Earth + humanity?
Server certificate issues A number of problems can occur with server certificates that result in Forefront TMG blocking access to the site. If your server has not beenconfigured with the names of CAs that it trusts to issue client certs,it's sending an empty list.When an SSL client receives such a malformed request, with The browser can only tell thatU was issued by I, and I is not R.
We already had bugs against NSS. Comment 24 David Woodhouse 2016-03-01 03:26:36 EST (In reply to Kamil Dudka from comment #22) > Unless libcurl is asked to load a client certificate from file (which is not > This would explain why some SSL libraries, such as OpenSSL, are flexible enough to work around it. Did you check HTTP server configuration (which cipher suites it allows) ? –sirgeorge Nov 1 '15 at 22:21 add a comment| up vote 0 down vote I've also come across this
Comment 13 Kamil Dudka 2015-05-13 15:56:09 EDT I believe the Version row tells us time of check for each of the columns. Bob offered to co-mentor such a project. However, name mismatch and trust are always checked, unless the “No Validation” mark is set. With the NSS fixes from https://bugzil.la/1296263 and https://bugzil.la/1162897 and with our system crypto policy amended as discussed in Fedora bug 1173577 this should all work nicely.
Does not that classify as "system token database"? Format For Printing -XML -Clone This Bug -Top of page First Last Prev Next This bug is not in your last search results. The client is either a transparent client or a full proxy client accessing the web server using its IP address, and a DNS reverse address lookup (IP to name) of the Do I understand it correctly that this bug will go away once bug #1173577 is fixed?
The remote hostsupports only tlsv1.2 and the RC4-SHA cipher. Also, I'venoticed that both IE and Opera ask the user to choose whichcertificate to present to the server which is not Mozilla's case.That 12227 error happens when you present the webserver