cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: issue with root CA in certificates chain from server

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 05 Feb 2015 01:49:22 -0500

On 2/4/2015 9:03 AM, Bruno BARRUCAND wrote:
>
> I am using libcurl (curl-7.34.0) with openssl (1.0.1h) in https. It
> works well. Thank you.
>
> But I have an issue in one case. When server sends root CA in
> certificates chain, libcurl/openssl returns an error “SSL certificate
> problem: self signed certificate in certificate chain ».
>
> In my code, I have set curl_easy_setopt(curl_, CURLOPT_CAINFO, cert);
> with cert which root CA (in pem format).
>
> I have also curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYHOST, 2);
>
> And curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYPEER, 1);
>
> What should I do/modify/add in the code to accept connection from this
> server without allowing self-signed certificate (by setting
> CURLOPT_SSL_VERIFYPEER to 0)?
>

You are saying you want to connect to the server but not if there's a
self signed certificate? Isn't that what you are already doing? Is it
possible you mean you want to connect to the server without disabling
verify? In that case you will need to get the self signed certificate
(explained below) and check that it's legit with the server operator.
Here's what I think is most likely:

The certificate may not be in your bundle or the bundle may not have
loaded properly. Also make sure cert is a char pointer to the filename.
And if you are in windows a common mistake with string literals is to
forget to escape the backslashes so if you're specifying a path for
example C:\aaa\your_cert_file.pem is
const char *cert = "C:\\aaa\\your_cert_file.pem";

Run curl tool with -v or curl_easy_setopt(curl_, CURLOPT_VERBOSE, 1L)
and check for these lines:

* successfully set certificate verify locations:
* CAfile: your_cert_file.pem

If not you will see 'error setting certificate verify locations' or
something else. If setting the location was successful try to connect
using openssl to rule out curl

openssl s_client -showcerts -CAfile your_cert_file.pem -connect server:port

openssl should dump the certificate chain. Look at the very beginning
for depth/verify failures. If you see that the problem is not in curl
and the problem may be the certificate isn't in the bundle or there's
something wrong with the bundle or something else.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-05

This message: [ Message body ]
Next message: laser peter via curl-library: "Re: about https proxy queston"
Previous message: Gisle Vanem: "'session->ssl_version' now hidden"
In reply to: Bruno BARRUCAND: "issue with root CA in certificates chain from server"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]