Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: difficulties with SSL certs
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dennis Clarke via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 03:31:27 -0400
On 4/8/21 2:53 AM, Ray Satiro via curl-library wrote:
> On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
>> europa$
>> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
>> 0
>> curl: (60) SSL certificate problem: unable to get local issuer
>> certificate
>> More details here:https://curl.se/docs/sslcerts.html
>>
>> curl failed to verify the legitimacy of the server and therefore could
>> not
>> establish a secure connection to it. To learn more about this
>> situation and
>> how to fix it, please visit the web page mentioned above.
>> europa$
>>
>> europa$ curl --version
>> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
>> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
>> Release-Date: 2021-02-03
>> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
>> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
>> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
>> SSL TLS-SRP UnixSockets
>> europa$
>>
>> So I looked into the location where the ssl certs "should" be given my
>> curl config :
>>
>> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
>> --disable-silent-rules --without-gnu-ld --enable-shared \
>> --enable-static \
>> --with-libidn=/usr/local --with-libidn2=/usr/local \
>> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
>> --enable-tls-srp --with-libssh2
>>
>> So I expect that the cacert.pem file at
>>
>> https://curl.se/docs/caextract.html
>>
>> would solve all my problems however :
>>
>> europa$ ls -lapb/opt/bw/ssl/certs/
>> total 350
>> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
>> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
>> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
>> europa$
>>
>> This does not help at all and even OpenSSL seems confused.
>
>
> What is your curl -V version and the verbose output? Your CA path is
> supposed to contain the certificate files named by hash value [1], which
> it doesn't.
I just dropped the correct certs into that directory and they are still
not found :
europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Those are exactly what is needed.
europa$ /opt/bw/bin/curl -V
curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
SSL TLS-SRP UnixSockets
europa$
So I should think that the certs are found in that directory now :
europa$ /opt/bw/bin/curl -vvvv -4 -L https://gitlab.com/ -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /opt/bw/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4542 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$
> Putting a single file with a bundle of certificates in the
> path won't help. You can use configure option --with-ca-bundle=FILE.
That is exactly what I am going to do. Once a week or so I can check if
the cacert bundle has been updated and then otherwise forget about it.
> Note your OS may have a packaged and maintained directory containing
> certificates or a bundle of certificates, I would use that if you can.
> Also see [2] for scanned paths
>
Yes, I was thinking of that also but felt it should not be black magic
to just point to a cacert bundle.
> [1]:
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
>
> [2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192
Thank you and I will look over all of that.
Date: Thu, 8 Apr 2021 03:31:27 -0400
On 4/8/21 2:53 AM, Ray Satiro via curl-library wrote:
> On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
>> europa$
>> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
>> 0
>> curl: (60) SSL certificate problem: unable to get local issuer
>> certificate
>> More details here:https://curl.se/docs/sslcerts.html
>>
>> curl failed to verify the legitimacy of the server and therefore could
>> not
>> establish a secure connection to it. To learn more about this
>> situation and
>> how to fix it, please visit the web page mentioned above.
>> europa$
>>
>> europa$ curl --version
>> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
>> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
>> Release-Date: 2021-02-03
>> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
>> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
>> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
>> SSL TLS-SRP UnixSockets
>> europa$
>>
>> So I looked into the location where the ssl certs "should" be given my
>> curl config :
>>
>> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
>> --disable-silent-rules --without-gnu-ld --enable-shared \
>> --enable-static \
>> --with-libidn=/usr/local --with-libidn2=/usr/local \
>> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
>> --enable-tls-srp --with-libssh2
>>
>> So I expect that the cacert.pem file at
>>
>> https://curl.se/docs/caextract.html
>>
>> would solve all my problems however :
>>
>> europa$ ls -lapb/opt/bw/ssl/certs/
>> total 350
>> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
>> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
>> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
>> europa$
>>
>> This does not help at all and even OpenSSL seems confused.
>
>
> What is your curl -V version and the verbose output? Your CA path is
> supposed to contain the certificate files named by hash value [1], which
> it doesn't.
I just dropped the correct certs into that directory and they are still
not found :
europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Those are exactly what is needed.
europa$ /opt/bw/bin/curl -V
curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
SSL TLS-SRP UnixSockets
europa$
So I should think that the certs are found in that directory now :
europa$ /opt/bw/bin/curl -vvvv -4 -L https://gitlab.com/ -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /opt/bw/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4542 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$
> Putting a single file with a bundle of certificates in the
> path won't help. You can use configure option --with-ca-bundle=FILE.
That is exactly what I am going to do. Once a week or so I can check if
the cacert bundle has been updated and then otherwise forget about it.
> Note your OS may have a packaged and maintained directory containing
> certificates or a bundle of certificates, I would use that if you can.
> Also see [2] for scanned paths
>
Yes, I was thinking of that also but felt it should not be black magic
to just point to a cacert bundle.
> [1]:
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
>
> [2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192
Thank you and I will look over all of that.
-- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-04-08