On Thu, Mar 11, 2021 at 07:48:40PM -0500, John Szakmeister wrote: > Here's my second attempt at getting the certificate password into the credential > store. I tested from a working PKI setup and found curl--at least reasonable > recent versions of it--return CURLE_SSL_CERTPROBLEM: > > CURLE_SSL_CERTPROBLEM (58) > problem with the local client certificate. > > It appears there could be another possible error from curl: > > CURLE_SSL_CONNECT_ERROR (35) > A problem occurred somewhere in the SSL/TLS handshake. You > really want the error buffer and read the message there as it > pinpoints the problem slightly more. Could be certificates (file > formats, paths, permissions), passwords, and others. > > This seems less likely to be a bad client password scenario, so I did not look > for this particular error to reject it. > > I also added one other small patch to remove the check of a non-empty password > before calling credential_store() for proxy_auth, as credential_store() already > checks for a non-empty password and gracefully handles it when it doesn't. Thanks. Both patches look good to me. I wondered briefly if we needed to worry about old versions of curl missing CURLE_SSL_CERTPROBLEM. But it seems to have shown up in ~2002, so I think we are fine to assume it's there. It would be nice if we had some tests here, but we currently do not cover any of the ssl-cert stuff in the test suite. I suspect adding them would be a big pain to configure and maintain, so I'm OK to leave it off for now. Hopefully you gave it some basic manual testing with your working setup (good password is stored, bad password is rejected). Looking at how we generate the server-side cert for our http tests, we could _probably_ do something similar for a client-side cert, and just configure the server to accept a self-signed certificate. But like I said, I'm OK to leave that for another series (though of course if you want to work on it, that would be very much appreciated). -Peff
