Bug 1684797 - CURLINFO_CERTINFO empty probably because of problem with libcurl
Summary: CURLINFO_CERTINFO empty probably because of problem with libcurl
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: curl
Version: 7.6
Hardware: All
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: qe-baseos-daemons
URL: https://talk.plesk.com/threads/php-li...
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-02 15:46 UTC by rvmp
Modified: 2019-03-04 14:04 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 15892 None None None 2019-03-02 15:46 UTC

Description rvmp 2019-03-02 15:46:44 UTC
Description of problem:
No CERTIFICATE information returned when using curl with PHP (CURLINFO_CERTINFO)
According to bugs.centos.org probably something that is wrong in RedHat release of curl/libcurl.

Version-Release number of selected component (if applicable):
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

How reproducible:
See the steps below. Simple PHP script can also reproduce this.

Steps to Reproduce:
Take a relevant example from libcurl documentation: 
cp /usr/share/doc/libcurl-devel-7.29.0/certinfo.c .
Edit certinfo.c to match PHP script (replace URL with https://plesk.com)
Compile: gcc -l curl certinfo.c
Run: ./a.out

Actual results:
0 certs!

Expected results:
4 certs!
Subject:OU=Domain Control Validated; OU=PositiveSSL; CN=plesk.com
Issuer:C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
Version:2
Signature Algorithm:sha256WithRSAEncryption
Start date:2016-12-19 00:00:00 GMT
Expire date:2019-12-19 23:59:59 GMT
Public Key Algorithm:rsaEncryption
RSA Public Key:2048
rsa(n):ac:2d:d6:4a:4c:f2:17:02:8b:0f:cf:c4:1f:bd:7f:fd:e2:a8:00:07:94:56:fc:69:17:2b:d7:05:7a:ef:eb:0f:4f:d9:c8:be:b1:8f:fc:40:2b:a0:08:2f:56:1c:91:c5:fe:3e:19:55:d8:c3:6e:a3:c5:f0:9c:8e:1c:f4:b8:89:56:8b:ad:bd:cc:8d:0c:dc:c3:72:62:b9:3c:b0:4b:b8:09:92:3b:f3:c7:df:b2:f1:30:cb:32:b8:64:52:54:29:94:db:da:d3:f9:7b:0a:30:f9:67:2c:57:29:58:8a:d8:da:60:c5:01:9e:4d:9e:ec:36:ec:aa:08:1a:03:ef:37:c2:93:b5:13:37:bf:f0:b6:fc:a8:b9:6f:c6:b2:2c:02:84:9c:e0:d3:ef:55:84:b1:a8:b8:5d:a4:73:6f:ee:07:a6:03:98:a1:6d:f9:96:e1:bc:d2:6d:6b:4f:fe:7a:92:7a:98:00:9a:b9:bc:6d:cf:63:8e:8b:58:da:22:7e:08:c2:07:3d:17:a5:ed:64:af:a8:7f:f0:16:9d:37:87:06:01:5b:2d:b9:e4:74:08:57:eb:5a:87:81:c2:30:3e:ca:23:a2:81:97:f5:8f:7d:fc:60:7d:ca:2a:7c:bc:3a:91:0f:a1:45:6c:58:0f:36:71:d9:6b:d3:ca:0c:28:e6:61:
rsa(e):01:00:01:

Additional info:
On CentOS 7 during PHP 7.3 configure:
| /* confdefs.h */
| #...
| #define HAVE_CURL_SSL 1
| /* end confdefs.h. */
|
| #include <strings.h>
| #include <curl/curl.h>
|
| int main(int argc, char *argv[])
| {
| curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
|
| if (data && data->ssl_version && *data->ssl_version) {
| const char *ptr = data->ssl_version;
|
| while(*ptr == ' ') ++ptr;
| return strncasecmp(ptr, "OpenSSL", sizeof("OpenSSL")-1);
| }
| return 1;
| }
|
configure:24506: result: no
configure:24515: checking for gnutls support in libcurl
configure:24543: ccache gcc -o conftest -lcurl conftest.c -lbz2 -lz -lrt -lm -ldl -lnsl -lxml2 -lz -lm -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto >&5
configure:24543: $? = 0
configure:24543: ./conftest
configure:24543: $? = 7
configure: program exited with status 7
configure: failed program was:
| /* confdefs.h */
| #...
| #define HAVE_CURL_SSL 1
| /* end confdefs.h. */
|
| #include <strings.h>
| #include <curl/curl.h>
|
| int main(int argc, char *argv[])
| {
| curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
|
| if (data && data->ssl_version && *data->ssl_version) {
| const char *ptr = data->ssl_version;
|
| while(*ptr == ' ') ++ptr;
| return strncasecmp(ptr, "GnuTLS", sizeof("GnuTLS")-1);
| }
| return 1;
| }
|
configure:24560: result: no
configure:24673: checking for curl_easy_perform in -lcurl
configure:24698: ccache gcc -o conftest -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fno-strict-aliasing -pipe -Wno-all -fvisibility=hidden -Wl,--enable-new-dtags -lcurl conftest.c -lcurl -lbz2 -lz -lrt -lm -ldl -lnsl -lxml2 -lz -lm -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto >&5
configure:24698: $? = 0
configure:24707: result: yes
configure:24828: checking for curl_easy_strerror in -lcurl
configure:24853: ccache gcc -o conftest -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fno-strict-aliasing -pipe -Wno-all -fvisibility=hidden -Wl,--enable-new-dtags -lcurl conftest.c -lcurl -lbz2 -lz -lrt -lm -ldl -lnsl -lxml2 -lz -lm -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto >&5
configure:24853: $? = 0
configure:24862: result: yes
configure:24981: checking for curl_multi_strerror in -lcurl
configure:25006: ccache gcc -o conftest -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fno-strict-aliasing -pipe -Wno-all -fvisibility=hidden -Wl,--enable-new-dtags -lcurl conftest.c -lcurl -lbz2 -lz -lrt -lm -ldl -lnsl -lxml2 -lz -lm -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto >&5
configure:25006: $? = 0
configure:25015: result: yes
...
ac_cv_lib_curl_curl_easy_perform=yes
ac_cv_lib_curl_curl_easy_strerror=yes
ac_cv_lib_curl_curl_multi_strerror=yes

Comment 2 Kamil Dudka 2019-03-04 13:27:02 UTC
CURLINFO_CERTINFO is not supported by the RHEL-7 version of curl.  We would need to backport (at least) the following two upstream patches to make it work:

https://github.com/curl/curl/commit/curl-7_31_0-56-g3a24cb7bc
https://github.com/curl/curl/commit/curl-7_33_0-80-gf6c335d63

If this feature is important for your business, please contact Product Support.


Note You need to log in before you can comment on or make changes to this bug.