cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: (35) error setting cerficate verify locations

From: Torsten Foertsch <torsten.foertsch_at_gmx.net>
Date: Tue, 15 Jul 2003 14:15:36 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am I right to assume that file.p12 is your Browser certificate? If yes, then
try

  openssl pkcs12 -in file.p12 -out file.pem (note: without -nokeys option)

to convert your certificate and the key. Then

  curl -k -E file.pem https://xxx.yyy.zzz.xxx

If that works get the CA certificate
(Email=sth_at_sth.com/C=AT/ST=Berlin/L=Berlin/OU=sth Server CA/OU=sth
Certification Authority/O=sth.com/CN=sth Server CA - System M) in PEM
encoding and try

  curl --cacert ca.pem -E file.pem https://xxx.yyy.zzz.xxx

Since your server certificate has got xxx.yyy.zzz.xxx as common name (CN=...)
you must use https://xxx.yyy.zzz.xxx for that to succeed.

If the assumtion above is false and file.p12 is really your CA certificate
then try "curl -k" and "curl --cacert file.pem https://xxx.yyy.zzz.xxx".

If it works with -k but don't with --cacert then your server is sending a
certificate that was not signed by file.pem or you are not using
xxx.yyy.zzz.xxx as to access the server. -v should say what is going on.

Torsten

On Tuesday 15 July 2003 12:59, denis moeller wrote:
> Hi,
>
> At 11:30 AM 7/15/2003 +0200, you wrote:
> >convert your file.p12 to PEM encoding:
> >
> >openssl pkcs12 -in file.p12 -nokeys -out file.pem
> >
> >then --cacert file.pem.
>
> Okay, I've converted the file. Now the server still says that I don't have
> permission. Curl does not give any bad message anymore. Does
> this necessarily mean that the SSL connection is working right?
>
> The verbose output of curl with --cacert file.pem is:
> >* SSL connection using RC4-SHA
> >* Server certificate:
> >* subject: /C=AT/O=IBM/CN=xxx.yyy.zzz.xxx
> >* issuer: /Email=sth_at_sth.com/C=AT/ST=Berlin/L=Berlin/OU=sth Server
> >CA/OU=sth Certification Authority/O=sth.com/CN=sth Server CA - System M
> >* Verify result: 0
> >* Connected to xxx.yyy.zzz.xxx
>
> Without the --cacert file.pem the verbose output is the same, except that
> "Verify result: 0" is missing?!
>
> Thanks.
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/E/BswicyCTir8T4RAhU9AKC7EBg5JNxPNySbkR+s7TySJIaLtgCguGLN
yNBZL1204a60rMTfLulCjVU=
=QbrD
-----END PGP SIGNATURE-----

-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
Received on 2003-07-15