cURL / Mailing Lists / curl-library / Single Mail

curl-library

certificate verify failed

From: Ari Jolma <ari.jolma_at_tkk.fi>
Date: Sat, 02 Oct 2010 13:14:05 +0300

Hello,

I'm learning to set up shibboleth. Shibboleth contains a service
provider (sp) and identity provider (idp). At one point of
authentication the sp contacts the idp using libcurl. This is from
xmltooling library, which sets up a curl client.

My problem is that sp fails to connect to the idp, while curl has no
problem to do that from command line:

8<---------------------------------
root_at_ubu:/usr/src/xmltooling-1.3# curl -v
https://ubu.jolma.net:444/idp/profile/SAML2/SOAP/AttributeQuery
* About to connect() to ubu.jolma.net port 444 (#0)
* Trying 192.168.3.2... connected
* Connected to ubu.jolma.net (192.168.3.2) port 444 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
   CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: O=Company; OU=Department; CN=ubu.jolma.net
* start date: 2010-10-01 17:08:33 GMT
* expire date: 2011-10-01 17:08:33 GMT
* common name: ubu.jolma.net (matched)
* issuer: O=Company; OU=Department; CN=ubu.jolma.net
* SSL certificate verify ok.
8<---------------------------------

 From the server logs (editing a bit):

8<---------------------------------
XMLTooling.libcurl [2]: About to connect() to ubu.jolma.net port 444 (#0)
XMLTooling.libcurl [2]: Trying 192.168.3.2...
XMLTooling.libcurl [2]: connected
XMLTooling.libcurl [2]: Connected to ubu.jolma.net (192.168.3.2) port
444 (#0)
XMLTooling.libcurl [2]: successfully set certificate verify locations:
XMLTooling.libcurl [2]: CAfile: /etc/ssl/certs/ca-certificates.crt
                           CApath: none
XMLTooling.libcurl [2]: SSLv3, TLS handshake, Client hello (1):
XMLTooling.libcurl [2]: SSLv3, TLS handshake, Server hello (2):
XMLTooling.libcurl [2]: SSLv3, TLS handshake, CERT (11):
XMLTooling.libcurl [2]:
XMLTooling.SOAPTransport.CURL [2]: supplied TrustEngine failed to
validate SSL/TLS server certificate
XMLTooling.libcurl [2]: SSLv3, TLS alert, Server hello (2):
XMLTooling.libcurl [2]: SSL certificate problem, verify that the CA cert
is OK. Details:
                         error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
XMLTooling.libcurl [2]: Closing connection #0
8<---------------------------------

xmltooling uses curl_easy API. I've disabled (set to 0)

CURLOPT_SSL_VERIFYHOST and
CURLOPT_SSL_VERIFYPEER

I'm also setting CURLOPT_CAINFO there as otherwise verify locations do
not show up in the server log. There shouldn't be any other critical
CURLOPT's that would cause the problem. In both cases the libssl should
be the same (0.9.8).

I can make the commandline curl fail just by removing the apache cert
from ca-certificates.crt. Everything is running as root, so permissions
should not be a problem. Curl is 7.21.1, which I've compiled myself.
There is only one libcurl.so in my system. xmltooling and libcurl use
shared libs.

I'm at loss trying to figure out what blocks the shibboleth sp from
making the connection. jolma.net is not a real domain, it's a fake for
my home network.

Best regards,

Ari

-- 
Professor Ari Jolma
Department of Civil and Environmental Engineering
Aalto University
tel: +358 50 347 6463
Email: ari.jolma at tkk.fi
http://geoinformatics.tkk.fi
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-10-02