cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: problem with SSL connections

From: Cris Bailiff <c.bailiff+curl_at_awayweb.com>
Date: Fri, 23 Aug 2002 10:16:49 +1000

First, be sure that the site you are connecting to actually has a certificate
which is signed by one of the ca(s) you have in the ca.x509 file! Assuming
this is the case, read on...

1) You wouldn't normally need to use both '--cacert' and '--capath' - one or
the other is typical. I don't know the behaviour of openssl if both are
defined - check the openssl documentation.

2) '--capath' requires the ca directory to be set up in a specific way, with
links to individual ca certificates named using a hash of the cert details.
If you haven't set these links up, then (assuming openssl chooses to use
capath before cafile), there won't be any certificates found during
verification.

3) The 'c_rehash' utility supplied with openssl normally sets up the capath
files for you. This program requires perl and symbolic links, so is probably
not going to work on windows, so you probably haven't managed to do 2).

4) I've been told there are 'problems with' openssl capath on windows. AFAIK
this may come down to just the issue in 2) again. Maybe you can achieve 2 by
using copies of files, rather than links.

5) The issues 2-4 are documented in the curl manual page and inbuilt help (at
least, it says 'NOT WINDOWS' on --capath.

So, i'd start by just dropping the '--capath' part and see what happens...

Cris

On Fri, 23 Aug 2002 09:39, Nedelcho Stanev wrote:
> Hello all,
>
> when i compile curl ssl support and try to get some docs via https
> i have this error:
>
> curl.exe -v --cert \usr\certs\decho.x509
> --key \usr\certs\decho.key
> --cacert \usr\certs\ca.x509
> --key-type PEM
> --cert-type PEM
> --capath \usr\certs https://192.168.2.1
>
> * About to connect() to 192.168.2.1:443
> * Connected to 192.168.2.1 (192.168.2.1) port 443
> randomness from PROV_RSA_FULL
> Exiting RAND_poll
> randomness from PROV_RSA_FULL
> Exiting RAND_poll
> * Closing connection #0
> curl: (35) SSL: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> any ideas how i can fix this problem?

-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
Received on 2002-08-23