BTW you are totally right, I didn't need any certificate at all since I am
using the -k commandline option.

Your email is incredibly helpful and makes me think I should have asked
that question a week ago, your reply would have saved me quite a bit of
time. ;)

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

                                                                           
             Brian Dessent
             <brian_at_dessent.ne
             t> To
             Sent by: libcurl development
             curl-library-boun <curl-library_at_cool.haxx.se>
             ces_at_cool.haxx.se cc
                                                                           
                                                                   Subject
             11/24/2008 05:41 Re: Unknown SSL protocol error in
             PM connection
                                                                           
                                                                           
             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>
                                                                           
                                                                           

Jeff_Curley_at_playstation.sony.com wrote:

> --trace-ascii -k --cacert /app_home/mycert.pem --url
> https://www.fortify.net/sslcheck.html
> [...]
> == Info: SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
> failed
> [...]
> so exactly what do I need to do to test this? This is definitely
something
> I'll have to post at the OpenSSL forums, but I was hoping (with my
> ignorance of SSL) someone might be able to give me some pointers without
me
> having to post to the OpenSSL people asking something completely
ignorant.

I think you are misunderstanding what is being verified. The thing that
you pass with --cacert should be a bundle of CA certificates to verify
the remote site. Thus, www.fortify.net presents your end with its
certificate and libcurl uses the thing provided by --cacert to verify
that www.fortify.net is who they say they are according to some
well-known certificate authority (CA) who signed their cert. If you
don't have that well-known authority's certificate (in this case
Godaddy) in your CA bundle, then you can't verify that www.fortify.net
is who they say they are.

It seems like you have generated a self-signed certificate and passed
that as --cacert. That doesn't make any sense. A self-signed
certificate can do nothing to verify the certificate that
www.fortify.net is presenting, which is all that curl is trying to do.
(Also, passing -k and --cacert both at the same time makes no sense
either, they are saying opposite things.)

What is it exactly that you are trying to achieve?

Do you want to access public https: sites and verify their certificates
to know with certainty that they are who they say they are? Then you
need to use a bundle containing root certs of all the well-known and
trusted public CAs, such as what comes with your browser (or from
<http://curl.haxx.se/docs/caextract.html>).

Do you want to set up your own https: site, with a fake snake oil
self-signed cert for testing? In that case, you need to generate your
own snake oil CA, then generate and sign your server's cert with that
CA's cert, then install the resulting cert on the server, and then hit
that server's https: url with curl, passing your CA's cert to curl with
--cacert so it can use it to verify the cert that your server presents.
The commands to do all these things are a little complicated but they're
all covered in the openssl documentation.

Brian
Received on 2008-11-25