cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1225 libcurl, curl do not honor apache SNI direction to SSL certificates

From: Anthony Baldwin <tonytraductor_at_users.sf.net>
Date: Thu, 16 May 2013 02:32:41 +0000

Okay, my bad, I think I have solved this, and it's not curl's fault.
I had *:443 in my ports.conf and vhosts, which apparently messes up SNI. I added "SSLStrictSNIVHostCheck on" in my ports.conf and changed all the *:443 to IP.ADD.RE.SS:443 in my vhosts, and it seems it may be working properly now.
I'll leave this with the comment in case anyone else is tempted to hastily file a bug before checking every possible configuration issue (thought I had, but had missed these bits).

---
** [bugs:#1225] libcurl, curl do not honor apache SNI direction to SSL certificates**
**Status:** open
**Labels:** SNI ssl 
**Created:** Thu May 16, 2013 01:37 AM UTC by Anthony Baldwin
**Last Updated:** Thu May 16, 2013 01:37 AM UTC
**Owner:** nobody
I have a several sites with distinct SSL certificates on one server with apache (SNI). Browsers seem to find the proper cert, but curl and libcurl do not, thus hindering communications. Server is running Debian Squeeze, Apache2, curl 7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
The applications I am using that require curl/libcurl to communicate with others are decentralized communications platforms, friendica (friendica.com) and red (a new project from the friendica folks).
libcurl's failure to access the proper cert completely prevents proper communications with red.
Furthermore, when I post to either (they both have a simple API) with curl, the --ssl option gives me errors, while -k works.
I know the vhosts and certificates are all correct and installed properly, since browsers (firefox, iceweasel, google chrome, chromium, midori) all find the proper certificates. The libcurl errors indicate that libcurl is accessing the first cert on the server (a self-signed) rather than the certs the vhosts indicate for the domains for the friendica and red installations.
I don't know if this description is adequate, but will be glad to answer further question if it is helpful.
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1225/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/subscriptions/>
Received on 2013-05-16

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET