CODEWITHSUNDEEP
c++libcurl
wasp256
wasp256

Reputation: 6242

c++ libcurl fails to access, command line works

I'm trying to access a web service from curl with a TLSv1.2 connection. I'm able to access the service sucessfully via the command line with:

  curl -l --tlsv1.2 -E client.pem -v https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000010

But when trying it in C++ with libcurl I receive the error:

 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

This is a short version of the code:

#include <stdio.h>
#include <string.h>
#include <curl/curl.h>

int main(void) {
    CURL *curl;
    CURLcode res = CURLE_OK;

    curl = curl_easy_init();
    if (curl) {
        curl_easy_setopt(curl, CURLOPT_URL, "https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000010");

        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
        curl_easy_setopt(curl, CURLOPT_CAINFO, "./client.pem");
        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);

        res = curl_easy_perform(curl);

        if (res != CURLE_OK)
            fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));

        curl_easy_cleanup(curl);
    }

    return (int)res;
}

Do I have to set any further options?

Version of curl:

 curl --version
 curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3

Version of libcurl:

 ii  libcurl3:amd64                              7.47.0-1ubuntu2.2        
ii  libcurl3-gnutls:amd64                       7.47.0-1ubuntu2.2                        
ii  libcurl4-openssl-dev:amd64                  7.47.0-1ubuntu2.2

Upvotes: 0

Views: 609

Answers (1)

Argenet
Argenet

Reputation: 389

Seems the problem is that you're incorrectly using your client certificate as you set it to be used as a CA for validating server-side certificate with

curl_easy_setopt(curl, CURLOPT_CAINFO, "./client.pem");

This doesn't match how client.pem is used in the command line where it is passed with -E flag.

-E, --cert <certificate[:password]>
          (SSL) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based  protocol.

Try to remove that line and use the following lines instead:

curl_easy_setopt(curl, CURLOPT_SSLCERT, "./client.pem");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);

If this works, you should remove the line setting CURLOPT_SSL_VERIFYPEER to 0 and experiment with setting proper CA to validate server-side certificate.

Upvotes: 3

Related Questions