2018-06-08 10:40:58 UTC
we already solved why Firefox was able to authenticate to a server while curl
was always failing.
A Wireshark trace revealed that Firefox is sending not only the client
certificate but also one intermediate CA cert that is part of the 4 cert trust
chain up to the highest Root CA Cert.
Using curl I got that done by adding --cacert.
However man curl, --cacert <file> is unclear about that:
"(TLS) Tells curl to use the specified certificate file to verify the
peer." or even wrong, as this cert is added to the client cert at TLS
As far as I understand this is only used to validate the server cert on client
In curl I got it also solved without --cacert when merging both certs into one
.pem file and using that as --cert.
I would propose to adapt the handling about --cacert and/or adapt the
documentation about it.
Looking on how Qt for instance is doing this:
Can only add one certificate. For the others I guess it is
doesn't change anything about the certificates send from the client but as
described just changes the database for validating the peers certificate.
So I would propose to change --cacert to this behaviour and add some
--certchain to explicitly add more certificates of the trust chain.
Question however is: Is this a common approach to send the CA certificate as
well? Where is this documented as TLS doesn't describe that:
Why behaves Firefox that way and how does it know to only send one intermediate
in a chain of 4 certificates in total up to the root cert? It could have also
sent 2 intermediates or all.
At subscription to the server they provided a list of trusted CAs, Comodo was
there and we purchased a signed cert from them. So actually they should have all
Root CAs and intermediate on the server, just like a Firefox installation also
To me it is non-sense sending the intermediate cert. This sounds like providing
the (potentially corrupted) trust chain to the other peer. Instead I think the
other site should have the freedom to choose which CAs it trusts and fetch the
CA certs itself.
As the server already has our certificate from the subscription process, they
should actually only match this instead of validating with the CA.
As client cert auth is rare, I don't find examples how servers actually do this.