libcurl, OpenSSL, and "result code 77, error setting certificate verify locations"
Date: Thu, 4 Jan 2018 10:52:49 +0000
We're using libcurl, locally built, with our own build of OpenSSL/1.0.2.
curl 7.54.1-DEV (powerpc-apple-darwin8.11.0) libcurl/7.54.1-DEV OpenSSL/1.0.2n zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy
The other day one of our applications stopped working at an awkward moment, reporting "result code 77, error setting certificate verify locations". We have seen this error from time to time (very rarely) since 2004. It's not anything to do with the file of PEM-encoded x509 certificates, the certificates, or the path to the file.
I can see people complaining about this in the past:
It's really an OpenSSL problem rather than a libcurl one. libcurl built against OpenSSL may call SSL_CTX_load_verify_locations(), which is a wrapper around X509_STORE_load_locations(), and that is failing for no good reason that we can see.
"That we can see". There is probably useful information available via the OpenSSL error stack, but I can't see how to get at that starting from the CURL context pointer. It would be useful to us if, for builds against OpenSSL, libcurl had API to expose the OpenSSL SSL_CTX content pointer, so that additional error investigation/reporting can be carried out in client applications.
Senior Software Engineer
This email message is confidential and may be legally privileged. It is intended for the exclusive use of the addressee. Access to this email by anyone else is unauthorised. If you have received this communication in error, please inform the sender by return email and delete this email message and all copies immediately. If you are not the intended recipient, any disclosure, copying, distribution of this email is prohibited and may be unlawful.
Received on 2018-01-04