curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: peer certificate cannot be authenticated: osx works, windows doesn't

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 6 Nov 2017 15:45:06 -0500

On 11/6/2017 3:14 PM, Thomas Blom wrote:
>
> On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote:
>> Using curl 7.56.0, built against openssl-1.0.2l, I am using
>> curl_easy_perform() to post to a server and receive results into
>> a file using the CURLOPT_WRITEDATA and an open file handle.
>>
>> This worked fine under both OSX and Windows using an http url,
>> but when I use https, having installed certificates on the
>> aws-linux server, I find that while OSX still works fine, windows
>> (v10) now fails with error 60, "Peer certificate cannot be
>> authenticated with given CA certificates".
>>
>> The certs are cheap ones - PositiveSSL via Comodo.  
>>
>> Reading https://curl.haxx.se/docs/sslcerts.html
>> <https://curl.haxx.se/docs/sslcerts.html>, I think I understand
>> that this depends on the CA "store" being used on the OS, so my
>> guess was that OSX is trusting PostiveSSL, but Windows is not. 
>> But, I find that if I navigate to this site with MS Edge, which
>> presumably uses the same OS CA-store, it is fine with the https
>> site, using those same certs.
>>
>> I see in the doc referenced that I can defeat the peer validation
>> with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but
>> I'd prefer a better solution, which may be just buying better
>> certs?  This is software that is to be distributed and used by
>> lots of folks, so it's not an option to just update the CA store
>> on my windows machine so that this cert is trusted.
> On Mon, Nov 6, 2017 at 1:02 PM, Ray Satiro via
> curl-library <curl-library_at_cool.haxx.se
> <mailto:curl-library_at_cool.haxx.se>> wrote :
>
>  
>
> Disabling ssl verification for software in production is of very
> limited use and usually wrong. In most cases you will want your
> https transfers protected and authenticated. Check that your
> computer's date and time is correct and that your certificate is
> not expired. Since it is working in Edge those things are probably ok.
>
> MS Edge is using the native certificate store because it's using
> the native Schannel SSL (what we also call WinSSL). curl w/
> OpenSSL in Windows does not do that, instead you have to supply
> the SSL certificates. There is not enough information in your
> report to tell whether you are supplying them. You can download a
> standard certificate bundle [1] and rename it from cacert.pem to
> curl-ca-bundle.crt and put it in the same directory as your
> curl.exe. For libcurl you will need to set CURLOPT_CACERT [2] with
> the location. Over time those certificates change and may need to
> be updated. You could avoid all this by building curl to use
> WinSSL instead, and then it will use the built in certificates
> that are updated automatically by Microsoft.
>
> My last guess as to what's happening if those things don't fit is
> your server is not configured properly to send all the required
> intermediate certificates. That is an error I've seen a few times
> and often missed in testing. The reason is some clients will cache
> intermediate certificates received from a server and then use
> those certificates when they are missing from other servers.
> Firefox (NSS) and Windows (SChannel) do that. So someone will test
> in Firefox and think well their website works but actually Firefox
> (or NSS I guess) is being helpful and just filling in the blanks.
> And it may or may not work in some other Firefox depending on
> whether the intermediate has been cached. As far as I know,
> OpenSSL will not cache intermediates received from a server and
> that is perfectly acceptable since it is your server's
> responsibility to include those intermediates. Check that your
> server is sending all the required intermediates.
>
> If you still need help please reply with more information,
> preferably your curl_version() and some way we can use to
> reproduce. (Keep in mind this is a public mailing list so please
> don't post anything sensitive.)
>
> [1]: https://curl.haxx.se/docs/caextract.html
> <https://curl.haxx.se/docs/caextract.html>
> [2]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
> <https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html>
>
>
> I am *not* manually supplying the SSL certificates to libcurl
> (v7.56.0, using OpenSSL/1.0.2l), so this is likely the issue, but I
> was confused because on OSX the same code works fine -- that is, on
> OSX, the keychain/system-store is used, and it seems reasonable to
> assume that a default/system-store would be used on Windows as well. 
>
> I understand that libcurl built using Schannel/WinSSL will do this - I
> wonder why the same default bundle is not used for OpenSSL, or how I
> can discover what this path is so that I can manually tell libcurl to
> use it even if I prefer to use OpenSSL?  
>
> Since I write software that is cross-platform (OSX+Windows), I
> typically prefer to use the same libraries/source wherever possible,
> so that behavior can be expected to be as nearly identical as
> possible, and there are fewer total libraries to be concerned with. 
> Thus the decision to build libcurl using OpenSSL on both platforms.

OpenSSL has a CAPI engine that uses Windows native crypto but it doesn't
appear that feature was ever added [1] [2].

[1]:
http://openssl.6102.n7.nabble.com/Using-Windows-certificate-store-through-OpenSSL-td46788.html
[2]: https://rt.openssl.org/Ticket/Display.html?id=2158

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-06