cURL / Mailing Lists / curl-library / Single Mail

curl-library

Trouble with SSL cert validation

From: Joshua Kwan <jkwan_at_vmware.com>
Date: Tue, 22 Sep 2009 11:49:06 -0700

Hey all,

I'm having trouble using cURL to successfully validate a certificate chain when connecting to an HTTPS server with the following certificate hierarchy:

Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> *.ourdomain.com certificate

cURL is linked with OpenSSL, and when I try to connect to it, I get

Sep 22 11:34:48: DEBUG: cURL debug: About to connect() to foo.ourdomain.com port 443 (#0)
Sep 22 11:34:48: DEBUG: cURL debug: Trying 10.114.24.145...
Sep 22 11:34:48: DEBUG: cURL debug: connected
Sep 22 11:34:48: DEBUG: cURL debug: Connected to foo.ourdomain.com (10.114.24.145) port 443 (#0)
Sep 22 11:34:48: DEBUG: cURL debug: successfully set certificate verify locations:
Sep 22 11:34:48: DEBUG: cURL debug: CAfile: mozilla-root-certs.crt
  CApath: none
Sep 22 11:34:48: DEBUG: cURL debug: WARNING: failed to configure server name indication (SNI) TLS extension
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, Client hello (1):
Sep 22 11:34:48: DEBUG: cURL debug: Data sent, 81 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, Server hello (2):
Sep 22 11:34:48: DEBUG: cURL debug: Data received, 74 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, CERT (11):
Sep 22 11:34:48: DEBUG: cURL debug: Data received, 2974 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS alert, Server hello (2):
Sep 22 11:34:48: DEBUG: cURL debug: Data sent, 2 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 22 11:34:48: DEBUG: cURL debug: Expire cleared
Sep 22 11:34:48: DEBUG: cURL debug: Closing connection #0
Sep 22 11:34:48: INFO: cURL error: Peer certificate cannot be authenticated with known CA certificates (60)

On the other hand, this works properly:

$ openssl s_client -connect foo.ourdomain.com:443 -showcerts -CAfile mozilla-root-certs.crt

And my understanding is that it does a strict verification test as well, and that outputs:

    Verify return code: 0 (ok)

The HTTPS server is sending the whole certificate chain, minus the root certificate, which to my understanding is correct.

So what is cURL doing differently from openssl's s_client? I've tried forcing different SSL versions as well, no soap.

-Josh
Received on 2009-09-22