cURL / Mailing Lists / curl-users / Single Mail

curl-users

curl/gnutls & Gentoo

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Fri, 19 Aug 2005 12:32:20 -0500

After reading Daniel's email concerning Debian maybe dropping OpenSSL in
favour of GNUtls, I thought I'd try compiling with gnutls on a Gentoo
system. It's easy enough, just set the use flag. What I got was a little
disturbing - the curl binary was unable to pull the Gmail home page...
Taking it from the top, this is how it looks:

The configure stage does this:

./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man \
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc \
--localstatedir=/var/lib --build=i686-pc-linux-gnu --enable-ldap
--enable-http \
--enable-ftp --enable-gopher --enable-file --enable-dict --enable-manual \
--enable-telnet --enable-nonblocking --enable-largefile --enable-ipv6 \
--disable-ares --without-ssl --with-gnutls=/usr

which results in this, just before the compiling starts:

curl version: 7.14.0
Host setup: i686-pc-linux-gnu
Install prefix: /usr
Compiler: i686-pc-linux-gnu-gcc
SSL support: enabled (GnuTLS)
zlib support: enabled
krb4 support: no (--with-krb4*)
GSSAPI support: no (--with-gssapi)
SPNEGO support: no (--with-spnego)
c-ares support: no (--enable-ares)
ipv6 support: enabled
IDN support: enabled
Build libcurl: Shared=yes, Static=yes
Built-in manual: enabled
Verbose errors: enabled (--disable-verbose)
SSPI support: no (--enable-sspi)
ca cert path: ${prefix}/share/curl/curl-ca-bundle.crt

After installing the binary, "curl -V" give this:

curl 7.14.0 (i686-pc-linux-gnu) libcurl/7.14.0 GnuTLS/1.2.3 zlib/1.2.3
libidn/0.5.15
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IDN IPv6 Largefile SSL libz

When I try this command line:

curl -v https://gmail.google.com/mail

I get this:

* About to connect() to gmail.google.com <http://gmail.google.com> port 443
* Trying 64.233.163.106... connected
* Connected to gmail.google.com <http://gmail.google.com>
(64.233.163.106<http://64.233.163.106>)
port 443
* server certificate verification failed. CAfile: /usr/share/curl/curl-
ca-bundle.crt
* Closing connection #0
curl: (60) server certificate verification failed. CAfile:
/usr/share/curl/curl-ca-bundle.crt
[snip...]

so I add the -k switch and got this:

* About to connect() to gmail.google.com <http://gmail.google.com> port 443
* Trying 64.233.163.107... connected
* Connected to gmail.google.com <http://gmail.google.com>
(64.233.163.107<http://64.233.163.107>)
port 443
* server certificate verification FAILED
* common name: gmail.google.com <http://gmail.google.com> (matched)
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=
gmail.google.com <http://gmail.google.com>
* start date: Tue, 07 Jun 2005 22:12:57 GMT
* expire date: Wed, 07 Jun 2006 22:12:57 GMT
* issuer: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
* compression: NULL
* cipher: AES 256 CBC
* MAC: SHA
> GET /mail HTTP/1.1
[snip...]

Repeating the exact same compilation with openssl instead of gnutls gives me
this:

* About to connect() to gmail.google.com <http://gmail.google.com> port 443
* Trying 64.233.163.107... connected
* Connected to gmail.google.com <http://gmail.google.com>
(64.233.163.107<http://64.233.163.107>)
port 443
* successfully set certificate verify locations:
* CAfile: /usr/share/curl/curl-ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=
gmail.google.com <http://gmail.google.com>
* start date: 2005-06-07 22:12:57 GMT
* expire date: 2006-06-07 22:12:57 GMT
* common name: gmail.google.com <http://gmail.google.com> (matched)
* issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
* SSL certificate verify ok.
> GET /mail HTTP/1.1
[snip...]

The only difference between the configure runs is:

--without-gnutls --with-ssl=/usr
and
--without-ssl --with-gnutls=/usr

I'm happy to accept that there may be a problem with the curl ebuild, but I
thought I'd come to the fount of all curl wisdom and get the official word
before filing a Gentoo bug report... Is something missing from the
configure, or is this a known problem fixed in 7.14.1, or just simply a
problem with gnutls??

Ralph Mitchell
Received on 2005-08-19

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: {NEED HELP] POST data redirected with 302"
Previous message: Ralph Mitchell: "Re: {NEED HELP] POST data redirected with 302"
Next in thread: Daniel Stenberg: "Re: curl/gnutls & Gentoo"
Reply: Daniel Stenberg: "Re: curl/gnutls & Gentoo"
Reply: Daniel Stenberg: "Re: curl/gnutls & Gentoo"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]