cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: (35) error setting cerficate verify locations

From: Cris Bailiff <c.bailiff+curl_at_devsecure.com>
Date: Tue, 15 Jul 2003 22:05:52 +1000

If you've been given a pkcs12 file, you're probably expected to do 'ssl client
authentication'

> Okay, I've converted the file. Now the server still says that I don't have
> permission.

You need to give curl the '--cert' (or -E) option to make it 'present' your
client certificate to the server, not the '--cacert' option.

(Yes, you will need the .pem version file, but you should also check it
contains both a 'PRIVATE KEY' section and a 'CERTIFICATE' section, or you
won't get very far).

> Curl does not give any bad message anymore. Does
> this necessarily mean that the SSL connection is working right?

Probably the .pem file contains the 'root' certificate of the Certificate
Authority (CA) which signed both your 'client' certificate and the server's
own certificate (assuming this is some private PKI system that is being
used). Curl (well, openssl) is using that part of the file to verify the
identity of the server, and so it stops complaining about the bad server
certificate.

> Without the --cacert file.pem the verbose output is the same, except that
> "Verify result: 0" is missing?!

This means that with the --cacert option, the *server* was verified. Using a
client certificate is a wholly separate operation. so you must give the
--cert parameter, even if you want to use the same file for --cacert (bad!)

Cris

-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
Received on 2003-07-15