[php-maint] Bug#780771: php5-curl: libcurl no more sends client certificate during mutual TLS authentication

Thu Mar 19 05:34:47 UTC 2015

Package: php5-curl
Version: 5.4.38-0+deb7u1
Severity: normal

Dear Maintainer,

I upgraded today from 5.4.36 to 5.4.38 and the mutual authentication that I have coded with
the curl php module is no more working : the client certificate is no more sent to the 
server. Here is the code to reproduce the bug :

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_VERBOSE       , TRUE);
curl_setopt($ch, CURLOPT_SSLCERT       , "cert.pem");
curl_setopt($ch, CURLOPT_URL           , "https://www.myweb.com");
echo curl_exec($ch);
?>

Output is :
* About to connect() to www.myweb.com port 443 (#0)
*   Trying 10.11.12.13...
* connected
* Connected to myweb.com (10.11.12.13) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using DHE-RSA-AES256-SHA

[...]

* Server certificate:
*        subject: C=FR; O=Org; CN=*.myweb.com
*        start date: 2014-01-31 16:15:52 GMT
*        expire date: 2019-01-31 16:15:52 GMT
*        common name: *.myweb.com (matched)
*        issuer: C=FR; O=Org; CN= Auth Server CA
*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
Host: www.myweb.com
Accept: */*

* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 400 Bad Request
< Server: nginx/1.4.4
< Date: Wed, 18 Mar 2015 19:57:28 GMT
< Content-Type: text/html
< Content-Length: 252
< Connection: close
<
* Closing connection #0
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.4.4</center>
</body>
</html>

Regards,

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-curl depends on:
ii  dpkg                                   1.16.15
ii  libapache2-mod-php5 [phpapi-20100525]  5.4.38-0+deb7u1
ii  libc6                                  2.13-38+deb7u8
ii  libcurl3                               7.26.0-1+wheezy12
ii  php5-cli [phpapi-20100525]             5.4.38-0+deb7u1
ii  php5-common                            5.4.38-0+deb7u1
ii  ucf                                    3.0025+nmu3

php5-curl recommends no packages.

php5-curl suggests no packages.

-- no debconf information