Re: peer certificate cannot be authenticated: osx works, windows doesn't
Date: Mon, 6 Nov 2017 15:45:06 -0500
On 11/6/2017 3:14 PM, Thomas Blom wrote:
> On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote:
>> Using curl 7.56.0, built against openssl-1.0.2l, I am using
>> curl_easy_perform() to post to a server and receive results into
>> a file using the CURLOPT_WRITEDATA and an open file handle.
>> This worked fine under both OSX and Windows using an http url,
>> but when I use https, having installed certificates on the
>> aws-linux server, I find that while OSX still works fine, windows
>> (v10) now fails with error 60, "Peer certificate cannot be
>> authenticated with given CA certificates".
>> The certs are cheap ones - PositiveSSL via Comodo.
>> Reading https://curl.haxx.se/docs/sslcerts.html
>> <https://curl.haxx.se/docs/sslcerts.html>, I think I understand
>> that this depends on the CA "store" being used on the OS, so my
>> guess was that OSX is trusting PostiveSSL, but Windows is not.
>> But, I find that if I navigate to this site with MS Edge, which
>> presumably uses the same OS CA-store, it is fine with the https
>> site, using those same certs.
>> I see in the doc referenced that I can defeat the peer validation
>> with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but
>> I'd prefer a better solution, which may be just buying better
>> certs? This is software that is to be distributed and used by
>> lots of folks, so it's not an option to just update the CA store
>> on my windows machine so that this cert is trusted.
> On Mon, Nov 6, 2017 at 1:02 PM, Ray Satiro via
> curl-library <curl-library_at_cool.haxx.se
> <mailto:curl-library_at_cool.haxx.se>> wrote :
> Disabling ssl verification for software in production is of very
> limited use and usually wrong. In most cases you will want your
> https transfers protected and authenticated. Check that your
> computer's date and time is correct and that your certificate is
> not expired. Since it is working in Edge those things are probably ok.
> MS Edge is using the native certificate store because it's using
> the native Schannel SSL (what we also call WinSSL). curl w/
> OpenSSL in Windows does not do that, instead you have to supply
> the SSL certificates. There is not enough information in your
> report to tell whether you are supplying them. You can download a
> standard certificate bundle  and rename it from cacert.pem to
> curl-ca-bundle.crt and put it in the same directory as your
> curl.exe. For libcurl you will need to set CURLOPT_CACERT  with
> the location. Over time those certificates change and may need to
> be updated. You could avoid all this by building curl to use
> WinSSL instead, and then it will use the built in certificates
> that are updated automatically by Microsoft.
> My last guess as to what's happening if those things don't fit is
> your server is not configured properly to send all the required
> intermediate certificates. That is an error I've seen a few times
> and often missed in testing. The reason is some clients will cache
> intermediate certificates received from a server and then use
> those certificates when they are missing from other servers.
> Firefox (NSS) and Windows (SChannel) do that. So someone will test
> in Firefox and think well their website works but actually Firefox
> (or NSS I guess) is being helpful and just filling in the blanks.
> And it may or may not work in some other Firefox depending on
> whether the intermediate has been cached. As far as I know,
> OpenSSL will not cache intermediates received from a server and
> that is perfectly acceptable since it is your server's
> responsibility to include those intermediates. Check that your
> server is sending all the required intermediates.
> If you still need help please reply with more information,
> preferably your curl_version() and some way we can use to
> reproduce. (Keep in mind this is a public mailing list so please
> don't post anything sensitive.)
> : https://curl.haxx.se/docs/caextract.html
> : https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
> I am *not* manually supplying the SSL certificates to libcurl
> (v7.56.0, using OpenSSL/1.0.2l), so this is likely the issue, but I
> was confused because on OSX the same code works fine -- that is, on
> OSX, the keychain/system-store is used, and it seems reasonable to
> assume that a default/system-store would be used on Windows as well.
> I understand that libcurl built using Schannel/WinSSL will do this - I
> wonder why the same default bundle is not used for OpenSSL, or how I
> can discover what this path is so that I can manually tell libcurl to
> use it even if I prefer to use OpenSSL?
> Since I write software that is cross-platform (OSX+Windows), I
> typically prefer to use the same libraries/source wherever possible,
> so that behavior can be expected to be as nearly identical as
> possible, and there are fewer total libraries to be concerned with.
> Thus the decision to build libcurl using OpenSSL on both platforms.
OpenSSL has a CAPI engine that uses Windows native crypto but it doesn't
appear that feature was ever added  .
Received on 2017-11-06