CURLcode: add CURLE_SSL_CLIENTCERT

When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721

docs/libcurl/libcurl-errors.3

@@ -262,6 +262,8 @@ be one out of several problems, see the error buffer for details.
 .IP "CURLE_QUIC_CONNECT_ERROR (96)"
 QUIC connection error. This error may be caused by an SSL library error. QUIC
 is the protocol used for HTTP/3 transfers.
+.IP "CURLE_SSL_CLIENTCERT (98)"
+SSL Client Certificate required.
 .IP "CURLE_OBSOLETE*"
 These error codes will never be returned. They were used in an old libcurl
 version and are currently unused.

docs/libcurl/symbols-in-versions

@@ -126,6 +126,7 @@ CURLE_SSL_CACERT                7.10          7.62.0
 CURLE_SSL_CACERT_BADFILE        7.16.0
 CURLE_SSL_CERTPROBLEM           7.10
 CURLE_SSL_CIPHER                7.10
+CURLE_SSL_CLIENTCERT            7.77.0
 CURLE_SSL_CONNECT_ERROR         7.1
 CURLE_SSL_CRL_BADFILE           7.19.0
 CURLE_SSL_ENGINE_INITFAILED     7.12.3

include/curl/curl.h

@@ -612,6 +612,7 @@ typedef enum {
   CURLE_HTTP3,                   /* 95 - An HTTP/3 layer problem */
   CURLE_QUIC_CONNECT_ERROR,      /* 96 - QUIC connection error */
   CURLE_PROXY,                   /* 97 - proxy handshake error */
+  CURLE_SSL_CLIENTCERT,          /* 98 - client-side certificate required */
   CURL_LAST /* never use! */
 } CURLcode;
 

lib/strerror.c

@@ -323,6 +323,9 @@ curl_easy_strerror(CURLcode error)
   case CURLE_PROXY:
     return "proxy handshake error";
 
+  case CURLE_SSL_CLIENTCERT:
+    return "SSL Client Certificate required";
+
     /* error codes not used by current libcurl */
   case CURLE_OBSOLETE20:
   case CURLE_OBSOLETE24:

lib/vtls/openssl.c

@@ -3292,6 +3292,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data,
              error_buffer */
           strcpy(error_buffer, "SSL certificate verification failed");
       }
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
+    !defined(LIBRESSL_VERSION_NUMBER) && \
+    !defined(OPENSSL_IS_BORINGSSL))
+      /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
+         OpenSSL version above v1.1.1, not Libre SSL nor BoringSSL */
+      else if((lib == ERR_LIB_SSL) &&
+              (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
+          /* If client certificate is required, communicate the
+             error to client */
+          result = CURLE_SSL_CLIENTCERT;
+          ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+      }
+#endif
       else {
         result = CURLE_SSL_CONNECT_ERROR;
         ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));

lib/vtls/sectransp.c

@@ -2708,8 +2708,9 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
 #if CURL_BUILD_MAC_10_6
       /* Only returned when kSSLSessionOptionBreakOnCertRequested is set */
       case errSSLClientCertRequested:
-        failf(data, "The server has requested a client certificate");
+        failf(data, "Server requested a client certificate during the "
-        break;
+              "handshake");
+        return CURLE_SSL_CLIENTCERT;
 #endif
 #if CURL_BUILD_MAC_10_9
       /* Alias for errSSLLast, end of error range */

tests/data/test1538

@@ -130,7 +130,8 @@ e94: An authentication function returned an error
 e95: HTTP/3 error
 e96: QUIC connection error
 e97: proxy handshake error
-e98: Unknown error
+e98: SSL Client Certificate required
+e99: Unknown error
 m-1: Please call curl_multi_perform() soon
 m0: No error
 m1: Invalid multi handle