On Fri, 8 Jun 2018, Massimo B. wrote:

Let me preface my response here by saying we're talking about curl built with
the OpenSSL backend here.

> Using curl I got that done by adding --cacert. However man curl, --cacert
> <file> is unclear about that:
>
> "(TLS) Tells curl to use the specified certificate file to verify the peer."
> or even wrong, as this cert is added to the client cert at TLS handshake."
>
> As far as I understand this is only used to validate the server cert on
> client site.

The file name passed in with --cacert is set to the OpenSSL function
SSL_CTX_load_verify_locations, and unfortunately the documentation for this
function is very sparse on details on what it does when a client certificate
is used:
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html

> In curl I got it also solved without --cacert when merging both certs into
> one .pem file and using that as --cert.

I think that feels like the correct way to do it. I think we should consider
ammending the --cert documentation to mention the case with intermediate
certs.

> I would propose to adapt the handling about --cacert and/or adapt the
> documentation about it.

Can you please suggest wording for our docs that you think would clarify and
help the next user who falls into the same problem as you did here?

> So I would propose to change --cacert to this behaviour and add some
> --certchain to explicitly add more certificates of the trust chain.

But why?

-- 
  / daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html