On Nov 30, 2009, at 1:44 PM, Daniel Stenberg wrote:

> On Mon, 30 Nov 2009, Bill Shupp wrote:
>
>> It's part of an OpenID suite of tests, and has a revoked cert. wget does detect the revoked cert and prevents you from connecting without disabling verification via an option. But curl says it's verified.
>>
>> I've tried pointing curl's CAPATH to use /etc/ssl/certs (openssl ca bundles), but it still fails. I've also downloaded the curl's latest bundle pem file, and pointed the request to that, but it still thinks it's verified.
>>
>> Any thoughts?
>
> I'm far from a SSL wizard, but I thought revoked certs were provided in a CRL that isn't immediately available when a client connects to a peer.
>
> How does wget figure out the cert is revoked without any special CRL treatment?
>
> BTW, is that a wget built to use OpenSSL or GnuTLS?

It looks like OpenSSL, as the required shared library is libssl. Also, I just re-checked, and wget on linux (debian lenny distro) DOES accept the certificate. On OS X, however, it properly rejects the certificate. I thought I had check my linux build, but I was mistaken. wget on debian has the same dependency on openssl.

What's interesting is that on my laptop I'm running Mac Ports. I've build both curl and wget, and wget rejects the revoked certificate, but curl does not.

Here are some details on the libraries:

bill$ otool -L /opt/local/bin/wget
/opt/local/bin/wget:
        /opt/local/lib/libiconv.2.dylib (compatibility version 8.0.0, current version 8.0.0)
        /opt/local/lib/libintl.8.dylib (compatibility version 9.0.0, current version 9.2.0)
        /opt/local/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
        /opt/local/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
        /opt/local/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.3)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 125.0.0)
        /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 550.13.0)
        /opt/local/lib/libidn.11.dylib (compatibility version 17.0.0, current version 17.44.0)
bill$ otool -L /opt/local/bin/curl
/opt/local/bin/curl:
        /opt/local/lib/libcurl.4.dylib (compatibility version 6.0.0, current version 6.1.0)
        /opt/local/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
        /opt/local/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
        /opt/local/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.3)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 124.1.1)

Thanks,

Bill Shupp
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-12-01