cURL / Mailing Lists / curl-library / Single Mail

curl-library

VERIFYPEER, -k, --insecure, etc.

From: Ryan Graciano <rmgraci_at_gmail.com>
Date: Wed, 17 Sep 2008 00:35:07 -0500

I'm having an issue with both curl the command line tool AND the curl
PHP binding, which leads me to believe that I have a problem that is
common to the curl library code. I've posted in both of those mailing
lists but haven't received any help, so I'm hoping that some curl lib
hackers can help me out.

Here's my issue, told from the command line tool perspective -

I installed the curl binaries (7.19.0) and recent OpenSSL (0.9.8h) so
I could cut the PHP binding out of the equation and find the root of
this problem. Here's what I did -

curl -E <my_pem_file> -k -v --url <my_url>

...and here's what curl output:

* About to connect() to <host>
* Trying <ip>... connected
* Connected to <host> (<ip>) port <port> (#0)
* SSL: couldn't set callback!
Enter PEM pass phrase:
* error setting certificate verify locations, continuing anyway:
* CAfile: /etc/ssl/certs/ca-certificates.crt
 CApath: none
* error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
* Closing connection #0
curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I get that "tlsv1 alert unknown ca" means it can't validate the CA,
but I'm passing -k (aka --insecure) to curl. I've tried the exact
same thing in PHP, setting VERIFYPEER to false and VERIFYHOST to
false, and I've received the exact same error from the PHP binding.
Shouldn't they both be skipping the code that validates the CA if I'm
specifically requesting to not validate it? What situation could
cause this error with those parameters?

I've also tried this with the --cacert parameter, which I just added
for good measure doing troubleshooting. I got a message that said it
successfully set the certificate verify location, but then received
the same error. This is causing me a lot of trouble because I'm not
the one signing the certificates; I have to interoperate with one of
our partners' test environments. I'm able to use their production
environment, which is ostensibly done the same way except it's signed
with a valid CA, with no trouble at all.

Thanks,
-Ryan
Received on 2008-09-17