curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: difficulties with SSL certs

From: Dennis Clarke via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 03:31:27 -0400

On 4/8/21 2:53 AM, Ray Satiro via curl-library wrote:
> On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
>> europa$
>> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
>>    % Total    % Received % Xferd  Average Speed   Time    Time     Time
>> Current
>>                                   Dload  Upload   Total   Spent    Left
>> Speed
>>    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
>>      0
>> curl: (60) SSL certificate problem: unable to get local issuer
>> certificate
>> More details here:https://curl.se/docs/sslcerts.html
>>
>> curl failed to verify the legitimacy of the server and therefore could
>> not
>> establish a secure connection to it. To learn more about this
>> situation and
>> how to fix it, please visit the web page mentioned above.
>> europa$
>>
>> europa$ curl --version
>> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
>> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
>> Release-Date: 2021-02-03
>> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
>> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
>> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
>> SSL TLS-SRP UnixSockets
>> europa$
>>
>> So I looked into the location where the ssl certs "should" be given my
>> curl config :
>>
>> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
>>   --disable-silent-rules --without-gnu-ld --enable-shared \
>>   --enable-static \
>>   --with-libidn=/usr/local --with-libidn2=/usr/local \
>>   --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
>>   --enable-tls-srp --with-libssh2
>>
>> So I expect that the cacert.pem file at
>>
>>      https://curl.se/docs/caextract.html
>>
>> would solve all my problems however :
>>
>> europa$ ls -lapb/opt/bw/ssl/certs/
>> total 350
>> drwxr-xr-x  2 root  wheel       3 Apr  8 02:35 ./
>> drwxr-xr-x  5 root  wheel       9 Apr  7 00:14 ../
>> -rw-r--r--  1 root  wheel  208075 Jan 19 04:12 cacert.pem
>> europa$
>>
>> This does not help at all and even OpenSSL seems confused.
>
>
> What is your curl -V version and the verbose output? Your CA path is
> supposed to contain the certificate files named by hash value [1], which
> it doesn't.

I just dropped the correct certs into that directory and they are still
not found :

europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d


Those are exactly what is needed.

europa$ /opt/bw/bin/curl -V
curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
SSL TLS-SRP UnixSockets
europa$

So I should think that the certs are found in that directory now :


europa$ /opt/bw/bin/curl -vvvv -4 -L https://gitlab.com/ -o /dev/null
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
    0* Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /opt/bw/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4542 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
    0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$


> Putting a single file with a bundle of certificates in the
> path won't help. You can use configure option --with-ca-bundle=FILE.

That is exactly what I am going to do. Once a week or so I can check if
the cacert bundle has been updated and then otherwise forget about it.

> Note your OS may have a packaged and maintained directory containing
> certificates or a bundle of certificates, I would use that if you can.
> Also see [2] for scanned paths
>

Yes, I was thinking of that also but felt it should not be black magic
to just point to a cacert bundle.


> [1]:
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
>
> [2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192

Thank you and I will look over all of that.


-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2021-04-08