curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Certificates problem

From: dp <couldabin_at_excite.com>
Date: Mon, 21 May 2018 11:10:18 -0400

No, I'm not sure the CA is used to sign. I tried it as a guess.

Which call is CAFILE use with? I'm not finding it listed in the API.

-----Original Message-----
From: "Waitman Gobble" [gobble.wa_at_gmail.com]
Date: 05/21/2018 09:17 AM
To: "libcurl development" <curl-library_at_cool.haxx.se>
Subject: Re: Certificates problem

On Mon, May 21, 2018 at 9:46 AM, dp <couldabin_at_excite.com> wrote:
> I am having trouble getting libcurl to work with a secure website. I am using cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and running this on XP/SP3. I built both static and DLL libraries, and that completed without any errors. I can link either library without warnings or errors. The calls to curl_easy_setopt() include:
>
> -- CURLOPT_ISSUERCERT, <full path to cacert.pem>
> -- CURLOPT_DEBUGFUNCTION,<function name>
> -- CURLOPT_VERBOSE, 1L
> -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92&lng=-97.22"
>
> If I build with the static library (libcurl_a.lib), curl_easy_perform() returns 60: Peer certificate cannot be authenticated with given CA certificates. The verbose output appears to show certificate exchange (I am not knowledgeable about CAs), and ends with "SSL certificate problem: unable to get local issuer certificate"
>
> With the DLL library (libcurl.lib), curl_easy_perform() returns 1: Unsupported protocol. The verbose output says "Protocol https not supported or disabled in libcurl"
>
> In both versions, the output from curl.exe -V is:
>
> curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
> Release-Date: 2018-03-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL HTTPS-proxy
>
> Did I fail to build the OpenSSL libraries properly, so that certificates are being mishandled? Is there another option I need to set before calling curl_easy_perform()? Is the difference in responses (libcurl.lib versus libcurl_a.lib) expected? I am trying to avoid the workaround that involves ignoring verification of certificates.
>
> Thanks.
>
>
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

you are certain that the specified CA cert is used to sign?

does -CAFile report verify OK

# openssl s_client -connect api.sunrise-sunset.org:443

CONNECTED(00000003)
depth=0 C = US, ST = New York
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York
verify return:1

---
Certificate chain
 0 s:/C=US/ST=New York
   i:/C=US/ST=New York
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV
BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2
MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY
8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O
XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K
gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9
SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3
wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA
AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA
FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6
5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W
dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y
xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO
S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE
riqeyAbdrkJW72TC7cQgmRASRlsDCJ0=
-----END CERTIFICATE-----
subject=/C=US/ST=New York
issuer=/C=US/ST=New York
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1466 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB
    Session-ID-ctx:
    Master-Key:
B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59   ......p.L...GF.Y
    0010 - dd 9c 57 04 cd 43 30 1c-58 6d 7f dc 6b 12 92 58   ..W..C0.Xm..k..X
    0020 - dd 40 8c fc 63 d7 c3 e6-4b bc 11 bc 3d f2 58 c5   .@..c...K...=.X.
    0030 - b4 12 a7 73 7d 5e b1 aa-9b 24 7f 26 43 05 87 fd   ...s}^...$.&C...
    0040 - 33 dd 49 ad 6a 99 5a 17-e7 79 20 5f ac 44 8b b4   3.I.j.Z..y _.D..
    0050 - ec d6 92 77 4e c9 77 80-b2 48 87 5e 41 7b d7 e7   ...wN.w..H.^A{..
    0060 - 22 58 f2 bd 2e a8 d4 68-01 e5 a1 d5 8b 11 e7 e1   "X.....h........
    0070 - cb 2c 89 bf 28 ba e0 12-26 e6 40 fa a8 43 85 d2   .,..(...&.@..C..
    0080 - 00 eb 0b ae 40 5d 8b 56-6b 8e 6c 5d 87 1c 80 6f   ....@].Vk.l]...o
    0090 - 9a 49 8a 86 70 f9 cf 4e-3e 9c 73 46 3a b7 7e 66   .I..p..N>.sF:.~f
    00a0 - c7 94 fa c3 9c fe 16 5f-98 d5 31 49 01 31 38 1b   ......._..1I.18.
    Start Time: 1526911116
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
-- 
Waitman Gobble
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.htm
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-05-21