A change was made between 7.9.8 and 7.10 that affected the way certificates are
handled. Here's the note from the CHANGES file in the source:

    Daniel (27 Aug 2002)
    - After lots of talk with Tom Zerucha, Nick Gimbrone and Cris Bailiff I
      decided to talk the bold path and I now made libcurl do CA certificate
      verification by default. Thus library users need to explicitly turn this off

      if you want to connect to sites without proper checking. We also install a
      CA cert bundle on 'make install' now.

      The curl tool now requires the -k/--insecure option in order to allow
      connections and operations on SSL sites that aren't properly verified with
      -cafile or --capath.

      curl-config --ca displays the built-in path to the CA cert bundle.

That might make a difference. If your server admins are keen to help, maybe you
could get them to do what I do here, which is to install each version of curl in
its own directory instead of load it into the general hierarchy:

    curl --prefix=/usr/local/curl-7.10.2

for example. I also have a symbolic link to the current version I'm using:

    ln -s /usr/local/curl-7.9.8 /usr/local/curl

so that I can put /usr/local/curl in my path and get whatever stable version I
have on hand. After testing some of my scripts against the new version, I move
the link and everybody gets it. Another added advantage is that I have several
prior releases 'on tap', so if a particular feature breaks, I can revert back to
an older version for any given script that seems to need it.

Ralph Mitchell

Paul Hoza wrote:

> Perhaps this is premature, but here's a follow up about my earlier
> post. My hosting company has reverted cURL to a previous version and I am
> now able to complete the transaction described below without the '-k'
> option. In essence, this problem is solved, but I don't like going back to
> older versions unless I understand why... please add insight to this issue
> if you would so I understand what's going on for the future. Please
> include advice about the versions I'm now using, as well as implications of
> staying/upgrading.
>
> Current version info:
> # /usr/bin/curl -V
> curl 7.9.8 (i386-redhat-linux-gnu) libcurl 7.9.8 (OpenSSL 0.9.6b)
>
> Here is the response from my hosting company about what they did. I don't
> like that there is still an error reported, even though my application
> works now:
>
> /* **********************
> I ended up completely removing curl from your server. Then, I installed a
> slightly older version of curl back onto the server that had worked on
> another server of ours.
>
> When I tested, I got a different error message than before. I was testing
> with this command:
> # curl https://localhost/
>
> And it went from giving me this:
> curl: (60) error setting cerficate verify locations
>
> To this:
> curl: (35) SSL: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol
>
> This error message seems a little more hopeful. Can you go ahead and try
> your curl operations again? Let us know if you have any other ideas. Thanks.
> ******************** */
>
> Thanks for the help.
> Paul
>
> >I'm using an open source PHP commerce cart system called osCommerce
> >[www.oscommerce.com] and attempting to get a community-contributed module
> >working right that connects to Authorize.Net's ADC Direct Response credit
> >card system. The module uses cURL to post the AuthNet data and get a
> >response using SSL, but I've not been able to get the call to work unless
> >I use the '-k' option. Since this is transmitting credit card and
> >customer data, I want it to be as secure as possible, so I think -k is not
> >appropriate here, but I can't quite figure out what's happening... is it
> >still secure or do I need to "fix" something??
> >
> >Thanks for any help you can provide. Here are some details:
> >
> >RH Linux 7.1 installed on a Virtual Private Server system using
> >WEBppliance 3.1
> >OpenSSL 0.9.6b
> >cURL 7.10.2 (installed by the sysadmin from the server hosting company I use)
> > # /usr/bin/curl -V
> > curl 7.10.2 (i386-redhat-linux-gnu) libcurl/7.10.2 OpenSSL/0.9.6b
> > zlib/1.1.3
> >We have an SSL certificate on the site running properly
> >
> >Here's the call made from the PHP shopping cart module is supposed to be
> >this, but nothing happens that I can see:
> > exec("/usr/bin/curl -d \"$data\"
> > https://secure.authorize.net/gateway/transact.dll", $response);
> >
> >Here's what actually works (note the dropped \" around $data?.. someone
> >suggested that and it won't work otherwise. Would someone explain what
> >this should be if I've got it wrong?)
> > exec("/usr/bin/curl -k -d $data
> > https://secure.authorize.net/gateway/transact.dll", $response);
> >
> >So, basically, is it using SSL or not?? Is it secure like this, or should
> >I be doing something different?
> >
> >Any help GREATLY appreciated!! :-)
> >
> >Regards,
> >Paul Hoza
> >NearlyEverything.com
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T
> handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
Received on 2002-12-03