How about this for a possible rewording?

/---------------

$ ./src/curl https://www.openssl.org/
curl: (60) SSL certificate problem, verify that the CA cert is OK

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
If you'd like to add the CA cert into curl's ca-certs bundle, follow the
 instructions here: http://curl.haxx.se/docs/?????.html

\---------------

More comments:

1. Would it be possible (when using --verbose) to display the
   certificate info on stdout? This already happens in cases where
   verification was successful, but is NOT shown in cases where it's
   unsuccessful. If curl can extract the CA which signed the certificate,
   as well as the expiration date and the common name, it would be nice
   to display that information to the user; otherwise, they have to pull
   up a regular browser to get that info (or use the -k option, which is
   counter-intuitive).

2. Could we also tailor the message above based on the actual problem?
   For example, if it's expired, can we indicate that (perhaps using
   additional error numbers, or at least using different error TEXTS?

3. The --help text for the --cacert option has a typo.
   "certifciate" is spelled wrong.

- Kevin

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2003-04-14