Hi

I found in the mailing list archive the following post by Graeme Pyle
talking about the same problem I had with the command line interface of
curl: Curl is unable to handle chained certificates.

http://curl.haxx.se/mail/archive-2000-06/0044.html

The attached patch seems to solve the problem. It is replacing the calls
to SSL_CTX_use_certificate_file by SSL_CTX_use_certificate_chain_file
(only PEM-certificates).

Extract of the man-page of SSL_CTX_use_certificate:

... it is recommended to use the
SSL_CTX_use_certificate_chain_file() instead of the
SSL_CTX_use_certificate_file() function in order to allow
the use of complete certificate chains ...

Roland

-- 
Roland Zimmermann              Mail:  r.zimmermann_at_gmx.ch

--- lib/ssluse.origin 2002-05-16 16:00:41.000000000 +0200
+++ lib/ssluse.c 2002-05-16 16:00:49.000000000 +0200
@@ -224,9 +224,8 @@
     }
 
 #if 0
- if (SSL_CTX_use_certificate_file(conn->ssl.ctx,
- cert_file,
- SSL_FILETYPE_PEM) != 1) {
+ if (SSL_CTX_use_certificate_chain_file(conn->ssl.ctx,
+ cert_file) != 1) {
       failf(data, "unable to set certificate file (wrong password?)");
       return(0);
     }
@@ -246,6 +245,12 @@
 
     switch(file_type) {
     case SSL_FILETYPE_PEM:
+ if (SSL_CTX_use_certificate_chain_file(conn->ssl.ctx,
+ cert_file) != 1) {
+ failf(data, "unable to set certificate file (wrong password?)");
+ return 0;
+ }
+ break;
     case SSL_FILETYPE_ASN1:
       if (SSL_CTX_use_certificate_file(conn->ssl.ctx,
                                        cert_file,

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth_at_sourceforge.net
Received on 2002-05-16