cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: certificate chains in curl

From: Graeme Pyle <graemian_at_yahoo.com>
Date: Thu, 22 Jun 2000 07:50:41 -0700 (PDT)

hi daniel,

thanks for quick response :)

the certificate i'm trying to authenticate with is
signed by SACA - verisign's representative in south
africa.

this signer isn't installed in apache-modssl, so my
web server has no reason to trust anything it has
signed. however, verisign's root CA has signed the CA
cert for saca, which means that verisign trust saca,
so i should too.

the chain looks like this:

* my cert
 * saca ca cert
  * verisign ca cert (built into modssl and browsers)

when openssl authenticates, it can be told to supply
the cert chain too (saca's ca cert) so the chain of
trust is complete. curl can only use a single cert, so
it can't complete this trust chain for apache. as a
result, the authentication fails.

the command line to authenticate with a chain is

openssl s_client -cert realcert.pem -host
e.mustek.co.za -port 443 -bugs -CAfile chain.pem

i've solved my problem by adding the saca cert to
modssl's list of ca's, but it would be cool if curl
could supply the chain too

anyhow, thanks for a really useful tool

cheers,

g

--- Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Wed, 21 Jun 2000, Graeme Pyle wrote:
>
> > my certificate is chained. "openssl s_client"
> works with the command
> > line:
>
> Forgive me, but I don't even know what a 'chained'
> certificate is!
>
> > openssl s_client -cert realcert.pem -host
> e.mustek.co.za -port 443 -bugs
> > -CAfile list.pem
> >
> > but not without the CAfile parameter. curl also
> fails to authenticate.
> >
> > is there some way i can tell curl about my chain
> in a config file or
> > environment variable?
>
> This sounds like something I have not taken into
> account when I did the
> certificate stuff in curl. It might be that we need
> to incorporate this.
>
> Curl only supports -E which accepts one single file
> for certificate and
> (private?) key.
>
> --
> Daniel Stenberg - http://daniel.haxx.se -
> +46-705-44 31 77
> ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo
> un\2\1 is xg'`ol
>

=====
Graeme Pyle
 
        +27 83 340 1642
        gpyle_at_bigfoot.com
        http://www.bigfoot.com/~gpyle
        http://calendar.yahoo.com/public/graemian

__________________________________________________
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
http://im.yahoo.com/
Received on 2000-06-22