Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Replace curl shipped with Windows with a recent version not build by Microsoft

Daniel Nashed – 18 November 2021 22:35:11

While working on a OpenSSL server side project, I used curl.exe to test client cert authentication.
It turned out that curl.exe shipped with Windows 11 is a quite old version -- last security patched end of 2019.
The version is the exact same version I also see on Windows 10 (see details below).


Shipping an old version of a well known and important security relevant tool, isn't what I would expect.
And it turned out that an old unexpected behavior was hitting me. This even made it impossible for me to pass my own client certificates.

The Windows Curl binary automatically sends client certificates, even the server side did not indicate a common root/intermediate.

It is privacy issue which also prevents me from using client certificates.
I figured it out writing code in my OpenSSL project to dump which certificates I receive in the verify call-backs.

Curl has fixed this behavior quite a while ago. And even with the options to enable auto credentials I don't see the same behavior with current versions of Curl.
So it sounds like the Microsoft curl version behaving different then the vanilla Curl open source code when using the Microsoft "Schannel (SSP)"

You find the details about the Curl fix here:

schannel: Disable auto credentials; add an option to enable it
https://github.com/curl/curl/commit/54e747501626b81


If you are using Curl on Windows, I would strongly recommend to replace Curl shipped with Windows, with a current Curl version provided by the Curl project directly!

Here is a direct download link for Windows Curl

https://curl.se/windows/

On the same page you also find my preferred OpenSSL implementation.  You can download OpenSSL 3.0 binaries, libs and headers directly from there too.


Here are the details of the privacy issue I ran into in my test:

In my case even not requesting a client certificate from this CA in my OpenSSL application the Curl version shipped with Windows sends a certificate:

Example:

c:\windows\system32\curl.exe -v  --data-binary "@mydata.txt"  -X POST
https://home.nashcom.org:4433/test

Result:


On the receiving side using an own OpenSSL based application I see the following certificate:

Subject: [/CN=337eda75-5350-41d2-98d7-48e86a3df60a]
Issuer: [/DC=net/DC=windows/CN=MS-Organization-Access/OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97]


The basic behavior is described in the Curl fix.
But still this does not completely explain why the Microsoft curl implementation sends the certificate in my case.


-- Reference version information --

Windows 11 version information


curl.exe --version
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: 2017-11-14, security patched: 2019-11-05
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL

----------------------------

Current downloaded curl version information


curl 7.80.0 (x86_64-pc-win32) libcurl/7.80.0
OpenSSL/3.0.0 (Schannel) zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.46.0 libgsasl/1.10.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSockets zstd




Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]