cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: SSL CA cert verbose error description coming up

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 14 Apr 2003 23:49:00 +0200 (CEST)

On Mon, 14 Apr 2003, Roth, Kevin P. wrote:

[rewording cut out]

Many thanks. I'm using your wording now.

> If you'd like to add the CA cert into curl's ca-certs bundle, follow the
> instructions here: http://curl.haxx.se/docs/?????.html

Yes, well, we can add this paragraph once we have those ???? letters filled
in! ;-)

> 1. Would it be possible (when using --verbose) to display the
> certificate info on stdout? This already happens in cases where
> verification was successful, but is NOT shown in cases where it's
> unsuccessful. If curl can extract the CA which signed the certificate,
> as well as the expiration date and the common name, it would be nice to
> display that information to the user; otherwise, they have to pull up a
> regular browser to get that info (or use the -k option, which is
> counter-intuitive).

Very good idea. I'll try it out right now!

[testing]

Uh, nope. We need to connect with SSL first to be able to get the peer
certificate, and we set the CA cert as a property to OpenSSL to use when
connecting. If the CA verification fails, no connection is made and we can't
read out the remote certificate.

We would need to re-make the connection without the CA cert (a -k equivalent
basicly) to read out the peer cert, and that is a trick curl doesn't do
automaticly at this point.

> 2. Could we also tailor the message above based on the actual problem?
> For example, if it's expired, can we indicate that (perhaps using
> additional error numbers, or at least using different error TEXTS?

This error is specificly returned for the OpenSSL error "certificate verify
failed". We don't know any further details on exactly why it failed.

> 3. The --help text for the --cacert option has a typo.
> "certifciate" is spelled wrong.

Corrected now!

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2003-04-14