curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: php curl insecure connection option is skipped

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 10 May 2019 14:49:36 -0400

On 5/10/2019 8:57 AM, surya chandrika via curl-library wrote:
> I Ran the following
>
> -sh-4.2$  HOST=<myhost>; echo | openssl s_client -servername $HOST
> -connect $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST
> unable to load certificate
> 139697300731712:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE
>
> I added a self signed certificate for this host. Could that be a reason?
>
> On Wed, May 8, 2019 at 11:48 AM Ray Satiro via curl-library
> <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>
> On 5/8/2019 12:32 AM, surya chandrika wrote:
>> Disabling  CURLOPT_SSL_VERIFYHOST  worked. Yes as you said this
>> is not recommended.
>> But am not sure why certificate with correct hostname is not
>> recognized from uploaded certificate.
>>  I added certificate in path "/etc/pki/ca-trust/source/anchors/
>> In verbose mode it says it got 5 certificate 
>>> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
>>> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/*
>>> *
>>> *
>>> *But throw error *SSL: certificate subject name (#1300) does not
>>> match target host name 'abc.com <http://abc.com/>
>> Any idea why certificate is not recognized
>
>
> If abc.com <http://abc.com> is a hostname in the certificate then
> you should not see that message. Check if OpenSSL gives different
> results:
>
> (HOST=abc.com <http://abc.com> ; echo | openssl s_client
> -servername $HOST -connect $HOST:443 2>/dev/null | openssl x509
> -noout -checkhost $HOST)
>
> Instead of -checkhost $HOST you can use -text to dump the
> certificate details. You should see the hostname in X509v3 Subject
> Alternative Name.
>

Please do not top-post [1], it makes the conversation harder to follow.
The error "Expecting: TRUSTED CERTIFICATE" means that certificate was
not read which likely means a separate error occurred in the previous
command. A self-signed certificate should not be the reason. Try just
the s_client command without suppressing errors.

[1]: https://curl.haxx.se/mail/etiquette.html#Do_Not_Top_Post

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-05-10