curl-docker icon indicating copy to clipboard operation
curl-docker copied to clipboard
verified publisher icon curl

`curlimages/curl:8.1.0` fails to load a p12 certificate that `8.00.1` could

Open nadiamoe opened this issue 2 years ago • 5 comments

I've just noticed that an upgrade from 8.00.1 to 8.1.0 has caused a curl command to fail to load a p12 certificate. The error returned is not very verbose:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0
      0 --:--:-- --:--:-- --:--:--     0*   Trying 88.99.146.130:443...
* Connected to pdns.roobre.es (88.99.146.130) port 443 (#0)
* ALPN: offers h2,http/1.1
* could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported

The command triggering this is:

curl -SvX PATCH -H "Content-Type: text/json" -d "something something" -H "X-API-Key: $API_KEY" "https://pdns.roobre.es/api/v1/servers/localhost/zones/$zone" -E "/roobre-k8s.p12:$CERT_PASS" --cert-type P12

$CERT_PASS contains the correct password for /roobre-k8s.p12, and the same command works on curlimages/curl:8.00.1.

I should be able to provide some more info if needed :)

nadiamoe avatar May 17 '23 15:05 nadiamoe

At first glance, I do not think there is anything container related here ... eg. probably best to verify if plain ole curl 8.1.0 (albeit with the same build flags/deps) reproduces this error eg. this might just be a curl error. Will investigate if I have the time.

xquery avatar May 17 '23 16:05 xquery

Hey @xquery,

It seems that you are right, I can reproduce a similar issue with plain old curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10.0 nghttp2/1.52.0.

Which is pretty weird, because this container worked 24 hours ago without me changing absolutely nothing. I will dig further to see if this is related to curl or not 😕

nadiamoe avatar May 18 '23 09:05 nadiamoe

we just made a new release ... https://github.com/curl/curl/issues/11129 may fix it .. we plan a patch release of curl and will also release container

xquery avatar May 18 '23 10:05 xquery

I don't think this is the 11129 bug, because @roobre says it reproduces in 8.0.1 and it does not seem related to the URL...

bagder avatar May 18 '23 11:05 bagder

I think I've been able to nail down the issue here. The p12 certificate in question uses RC2-40-CBC, which is considered a legacy cipher by OpenSSL. Curl was fine using this cert before, but the new image refuses to do so. Not sure if it could be a change of the build environment or a code change in curl itself.

That being said, it would seem that RC2-40-CBC is a poor choice for a cipher so probably curl is right refusing to load it.

nadiamoe avatar Jun 04 '23 21:06 nadiamoe