curl / Mailing Lists / curl-library / Single Mail


Re: peer certificate cannot be authenticated: osx works, windows doesn't

From: Ray Satiro via curl-library <>
Date: Mon, 6 Nov 2017 15:45:06 -0500

On 11/6/2017 3:14 PM, Thomas Blom wrote:
> On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote:
>> Using curl 7.56.0, built against openssl-1.0.2l, I am using
>> curl_easy_perform() to post to a server and receive results into
>> a file using the CURLOPT_WRITEDATA and an open file handle.
>> This worked fine under both OSX and Windows using an http url,
>> but when I use https, having installed certificates on the
>> aws-linux server, I find that while OSX still works fine, windows
>> (v10) now fails with error 60, "Peer certificate cannot be
>> authenticated with given CA certificates".
>> The certs are cheap ones - PositiveSSL via Comodo.  
>> Reading
>> <>, I think I understand
>> that this depends on the CA "store" being used on the OS, so my
>> guess was that OSX is trusting PostiveSSL, but Windows is not. 
>> But, I find that if I navigate to this site with MS Edge, which
>> presumably uses the same OS CA-store, it is fine with the https
>> site, using those same certs.
>> I see in the doc referenced that I can defeat the peer validation
>> with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but
>> I'd prefer a better solution, which may be just buying better
>> certs?  This is software that is to be distributed and used by
>> lots of folks, so it's not an option to just update the CA store
>> on my windows machine so that this cert is trusted.
> On Mon, Nov 6, 2017 at 1:02 PM, Ray Satiro via
> curl-library <
> <>> wrote :
> Disabling ssl verification for software in production is of very
> limited use and usually wrong. In most cases you will want your
> https transfers protected and authenticated. Check that your
> computer's date and time is correct and that your certificate is
> not expired. Since it is working in Edge those things are probably ok.
> MS Edge is using the native certificate store because it's using
> the native Schannel SSL (what we also call WinSSL). curl w/
> OpenSSL in Windows does not do that, instead you have to supply
> the SSL certificates. There is not enough information in your
> report to tell whether you are supplying them. You can download a
> standard certificate bundle [1] and rename it from cacert.pem to
> curl-ca-bundle.crt and put it in the same directory as your
> curl.exe. For libcurl you will need to set CURLOPT_CACERT [2] with
> the location. Over time those certificates change and may need to
> be updated. You could avoid all this by building curl to use
> WinSSL instead, and then it will use the built in certificates
> that are updated automatically by Microsoft.
> My last guess as to what's happening if those things don't fit is
> your server is not configured properly to send all the required
> intermediate certificates. That is an error I've seen a few times
> and often missed in testing. The reason is some clients will cache
> intermediate certificates received from a server and then use
> those certificates when they are missing from other servers.
> Firefox (NSS) and Windows (SChannel) do that. So someone will test
> in Firefox and think well their website works but actually Firefox
> (or NSS I guess) is being helpful and just filling in the blanks.
> And it may or may not work in some other Firefox depending on
> whether the intermediate has been cached. As far as I know,
> OpenSSL will not cache intermediates received from a server and
> that is perfectly acceptable since it is your server's
> responsibility to include those intermediates. Check that your
> server is sending all the required intermediates.
> If you still need help please reply with more information,
> preferably your curl_version() and some way we can use to
> reproduce. (Keep in mind this is a public mailing list so please
> don't post anything sensitive.)
> [1]:
> <>
> [2]:
> <>
> I am *not* manually supplying the SSL certificates to libcurl
> (v7.56.0, using OpenSSL/1.0.2l), so this is likely the issue, but I
> was confused because on OSX the same code works fine -- that is, on
> OSX, the keychain/system-store is used, and it seems reasonable to
> assume that a default/system-store would be used on Windows as well. 
> I understand that libcurl built using Schannel/WinSSL will do this - I
> wonder why the same default bundle is not used for OpenSSL, or how I
> can discover what this path is so that I can manually tell libcurl to
> use it even if I prefer to use OpenSSL?  
> Since I write software that is cross-platform (OSX+Windows), I
> typically prefer to use the same libraries/source wherever possible,
> so that behavior can be expected to be as nearly identical as
> possible, and there are fewer total libraries to be concerned with. 
> Thus the decision to build libcurl using OpenSSL on both platforms.

OpenSSL has a CAPI engine that uses Windows native crypto but it doesn't
appear that feature was ever added [1] [2].


Received on 2017-11-06