cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem in creating SSL connection using libcurl

From: Corcoran, Jason <jcorcoran_at_informatica.com>
Date: Thu, 28 Jan 2010 06:01:29 -0800

I have found that when you are setting the location of the ca cert,
you should give it the full path name and not just the relative one.

Jason

On Jan 28, 2010, at 3:34 AM, "Vinay Jindal" <vinay.jindal_at_aricent.com>
wrote:

> Hi,
>
> I have created a test HTTPS client using libcurl for creating a SSL
> connection with HTTPS server. The source code is given below:
>
> CURL *curl;
> CURLcode res;
> unsigned long errorCode = 0;
> char error[CURL_ERROR_SIZE];
>
> curl_global_init(CURL_GLOBAL_ALL);
>
> curl = curl_easy_init();
> if(curl) {
>
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER , 1);
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST , 1);
> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
>
>
> curl_easy_setopt(curl, CURLOPT_CAINFO , "./ca.cert");
>
> curl_easy_setopt(curl, CURLOPT_URL, "https://
> 172.16.105.172:9001/");
>
> res = curl_easy_perform(curl);
>
> if (res != CURLE_OK)
> {
> printf("\nVne::res = %d", res);
> curl_easy_getinfo(curl, CURLINFO_SSL_VERIFYRESULT,&errorCode);
>
> printf("\nVne::errorCode=%d\n",errorCode);
> printf("\nVne::error=%s\n",error);
> }
>
> curl_easy_cleanup(curl);
> }
>
> curl_global_cleanup();
>
>
> The file ‘ca.cert’ contains the certificate of CA (sample CA
> setup by me). The ssl server at 172.16.105.172:9001 is provided with
> certificate signed by sample CA. But when it tries to create the ss
> l connection to server, if fails with following error:
>
> * About to connect() to 172.16.105.172 port 9001
> * Trying 172.16.105.172... * connected
> * Connected to 172.16.105.172 (172.16.105.172) port 9001
> * successfully set certificate verify locations:
> * CAfile: ./trustAnchor
> CApath: none
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> * Closing connection #0
>
> Vne::res = 60
> Vne::errorCode=0
>
> Vne::error=SSL certificate problem, verify that the CA cert is OK.
> Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
>
>
>
> When I disable the SSL_VERIFYPEER option, then the connection gets
> established but with the following warning:
>
> * About to connect() to 172.16.105.172 port 9001
> * Trying 172.16.105.172... * connected
> * Connected to 172.16.105.172 (172.16.105.172) port 9001
> * successfully set certificate verify locations:
> * CAfile: ./trustAnchor
> CApath: none
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: /C=IN/ST=GGN/O=Aricent/OU=PRD/CN=172.16.105.172/
> emailAddress=vinay.jindal_at_gmail.com
> * start date: 2010-01-28 04:52:36 GMT
> * expire date: 2011-01-28 04:52:36 GMT
> * common name: 172.16.105.172 (matched)
> * issuer: /C=IN/ST=GGN/L=GGN/O=Aricent/OU=PRD/CN=VNE Root Certificate/emailAddress=vinay.jindal_at_gmail.com
> * SSL certificate verify result: error number 1 (9), continuing
> anyway.
>
> From where I can get more information about returned error number 1
> and (9)? And, why it is not working with VERIFYPEER enabled? Is
> there some problem with the certificates that I am using?
>
> One more observation that I have is: When I run this HTTPs client
> code on the same machine as SSL server, then the connection gets
> established successfully.
>
> Any help is greatly appreciated. Thanks in Advance.
>
> Regards,
> Vinay
>
>
>
> "DISCLAIMER: This message is proprietary to Aricent and is intended
> solely for the use of the individual to whom it is addressed. It may
> contain privileged or confidential information and should not be
> circulated or used for any purpose other than for what it is
> intended. If you have received this message in error, please notify
> the originator immediately. If you are not the intended recipient,
> you are notified that you are strictly prohibited from using,
> copying, altering, or disclosing the contents of this message.
> Aricent accepts no responsibility for loss or damage arising from
> the use of the information transmitted by this email including
> damage from virus."
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-01-28

This message: [ Message body ]
Next message: Kamil Dudka: "[PATCH] mention SOCKS related problems in the curl(1) man page"
Previous message: Vinay Jindal: "Problem in creating SSL connection using libcurl"
In reply to: Vinay Jindal: "Problem in creating SSL connection using libcurl"
Next in thread: Corcoran, Jason: "Re: Problem in creating SSL connection using libcurl"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]