cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem in creating SSL connection using libcurl

From: Corcoran, Jason <jcorcoran_at_informatica.com>
Date: Thu, 28 Jan 2010 20:37:10 -0800

The path should have the cert file name on it. Is trustAnchor a file
or directory?

Jason

On Jan 28, 2010, at 8:30 PM, "Vinay Jindal" <vinay.jindal_at_aricent.com>
wrote:

> Hi Jason,
> Thanks for responding but the problem is still same even after using
> absolute path:
>
> * About to connect() to 172.16.105.172 port 9001
> * Trying 172.16.105.172... * connected
> * Connected to 172.16.105.172 (172.16.105.172) port 9001
> * successfully set certificate verify locations:
> * CAfile: /user/gur10724/alu/scripts/curl/trustAnchor
> CApath: none
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> * Closing connection #0
>
> Vne::res = 60
> Vne::errorCode=0
>
> Vne::error=SSL certificate problem, verify that the CA cert is OK.
> Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
>
> I am unable to figure out what exactly error 14090086 means for
> libcurl and what part in server’s certificate it fails to verify.
> Surprisingly, this whole thing works when both server and ssl client
> are run on same machine.
>
> Also, is there any way to enable openssl traces using libcurl APIs?
>
> Thanks,
> Vinay
>
> From: curl-library-bounces_at_cool.haxx.se [mailto:curl-library-
> bounces_at_cool.haxx.se] On Behalf Of Corcoran, Jason
> Sent: Thursday, January 28, 2010 7:31 PM
> To: libcurl development
> Cc: curl-library_at_cool.haxx.se
> Subject: Re: Problem in creating SSL connection using libcurl
>
> I have found that when you are setting the location of the ca cert,
> you should give it the full path name and not just the relative one.
>
> Jason
>
> On Jan 28, 2010, at 3:34 AM, "Vinay Jindal"
> <vinay.jindal_at_aricent.com> wrote:
>
>> Hi,
>>
>> I have created a test HTTPS client using libcurl for creating a SSL
>> connection with HTTPS server. The source code is given below:
>>
>> CURL *curl;
>> CURLcode res;
>> unsigned long errorCode = 0;
>> char error[CURL_ERROR_SIZE];
>>
>> curl_global_init(CURL_GLOBAL_ALL);
>>
>> curl = curl_easy_init();
>> if(curl) {
>>
>> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER , 1);
>> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST , 1);
>> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
>> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
>>
>>
>> curl_easy_setopt(curl, CURLOPT_CAINFO , "./ca.cert");
>>
>> curl_easy_setopt(curl, CURLOPT_URL, "https://
>> 172.16.105.172:9001/");
>>
>> res = curl_easy_perform(curl);
>>
>> if (res != CURLE_OK)
>> {
>> printf("\nVne::res = %d", res);
>> curl_easy_getinfo(curl,
>> CURLINFO_SSL_VERIFYRESULT,&errorCode);
>>
>> printf("\nVne::errorCode=%d\n",errorCode);
>> printf("\nVne::error=%s\n",error);
>> }
>>
>> curl_easy_cleanup(curl);
>> }
>>
>> curl_global_cleanup();
>>
>>
>> The file ‘ca.cert’ contains the certificate of CA (sample CA
>> setup by me). The ssl server at 172.16.105.172:9001 is provided wi
>> th certificate signed by sample CA. But when it tries to create t
>> he ssl connection to server, if fails with following error:
>>
>> * About to connect() to 172.16.105.172 port 9001
>> * Trying 172.16.105.172... * connected
>> * Connected to 172.16.105.172 (172.16.105.172) port 9001
>> * successfully set certificate verify locations:
>> * CAfile: ./trustAnchor
>> CApath: none
>> * SSL certificate problem, verify that the CA cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>> * Closing connection #0
>>
>> Vne::res = 60
>> Vne::errorCode=0
>>
>> Vne::error=SSL certificate problem, verify that the CA cert is OK.
>> Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>>
>>
>> When I disable the SSL_VERIFYPEER option, then the connection gets
>> established but with the following warning:
>>
>> * About to connect() to 172.16.105.172 port 9001
>> * Trying 172.16.105.172... * connected
>> * Connected to 172.16.105.172 (172.16.105.172) port 9001
>> * successfully set certificate verify locations:
>> * CAfile: ./trustAnchor
>> CApath: none
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> * subject: /C=IN/ST=GGN/O=Aricent/OU=PRD/CN=172.16.105.172/
>> emailAddress=vinay.jindal_at_gmail.com
>> * start date: 2010-01-28 04:52:36 GMT
>> * expire date: 2011-01-28 04:52:36 GMT
>> * common name: 172.16.105.172 (matched)
>> * issuer: /C=IN/ST=GGN/L=GGN/O=Aricent/OU=PRD/CN=VNE Root Certificate/emailAddress=vinay.jindal_at_gmail.com
>> * SSL certificate verify result: error number 1 (9), continuing
>> anyway.
>>
>> From where I can get more information about returned error number 1
>> and (9)? And, why it is not working with VERIFYPEER enabled? Is
>> there some problem with the certificates that I am using?
>>
>> One more observation that I have is: When I run this HTTPs client
>> code on the same machine as SSL server, then the connection gets
>> established successfully.
>>
>> Any help is greatly appreciated. Thanks in Advance.
>>
>> Regards,
>> Vinay
>>
>>
>>
>> "DISCLAIMER: This message is proprietary to Aricent and is intended
>> solely for the use of the individual to whom it is addressed. It
>> may contain privileged or confidential information and should not
>> be circulated or used for any purpose other than for what it is
>> intended. If you have received this message in error, please notify
>> the originator immediately. If you are not the intended recipient,
>> you are notified that you are strictly prohibited from using,
>> copying, altering, or disclosing the contents of this message.
>> Aricent accepts no responsibility for loss or damage arising from
>> the use of the information transmitted by this email including
>> damage from virus."
>>
>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> "DISCLAIMER: This message is proprietary to Aricent and is intended
> solely for the use of the individual to whom it is addressed. It may
> contain privileged or confidential information and should not be
> circulated or used for any purpose other than for what it is
> intended. If you have received this message in error, please notify
> the originator immediately. If you are not the intended recipient,
> you are notified that you are strictly prohibited from using,
> copying, altering, or disclosing the contents of this message.
> Aricent accepts no responsibility for loss or damage arising from
> the use of the information transmitted by this email including
> damage from virus."
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-01-29