Hi,
I compiled curl --with-ssl, and when I try curl with ssl option, I am
getting the following SSL error, my colleague in US did the same
configuration in linux box, and he is able to connect to the ftp server,
with out importing any additional certificates ot the curl crt bundle,
he tried the same on windows environment and it worked as well. Why is
my solaris 8 box not behaving the same way?
 
Do I need import the WS_FTP server certificate in my crt bundle?
 
or
 
Do the ftp server need to import a client certificate for my machine?
 
or
 
Do I need to download any intermediate chain file from verisign or
thawte to solve this problem?
 
If I download the intermediate chain file from verisign, I am geetting
the following error
 
SSLv3, TLS alert, Server hello (2):
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
not 01
* Closing connection #0

curl: (35) error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type

is not 01

Without the intermediate chain, I get the following error, can some body
help?
 
< 220 EServe X2 WS_FTP Server 5.0.0 (803289611)
> AUTH SSL
< 234 SSL enabled and waiting for negotiation
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify faile
d
* Closing connection #0
 
curl: (60) SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify faile
d
 
Cheers
Rajan

-----Original Message-----
From: curl-users-bounces_at_cool.haxx.se
[mailto:curl-users-bounces_at_cool.haxx.se] On Behalf Of Ralph Mitchell
Sent: 19 August 2005 18:32
To: curl tool talk
Subject: curl/gnutls & Gentoo

After reading Daniel's email concerning Debian maybe dropping OpenSSL in
favour of GNUtls, I thought I'd try compiling with gnutls on a Gentoo
system. It's easy enough, just set the use flag. What I got was a
little disturbing - the curl binary was unable to pull the Gmail home
page... Taking it from the top, this is how it looks:

The configure stage does this:

./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man \
     --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc \
     --localstatedir=/var/lib --build=i686-pc-linux-gnu --enable-ldap
--enable-http \
     --enable-ftp --enable-gopher --enable-file --enable-dict
--enable-manual \
     --enable-telnet --enable-nonblocking --enable-largefile
--enable-ipv6 \
     --disable-ares --without-ssl --with-gnutls=/usr

which results in this, just before the compiling starts:

    curl version: 7.14.0
    Host setup: i686-pc-linux-gnu
    Install prefix: /usr
    Compiler: i686-pc-linux-gnu-gcc
    SSL support: enabled (GnuTLS)
    zlib support: enabled
    krb4 support: no (--with-krb4*)
    GSSAPI support: no (--with-gssapi)
    SPNEGO support: no (--with-spnego)
    c-ares support: no (--enable-ares)
    ipv6 support: enabled
    IDN support: enabled
    Build libcurl: Shared=yes, Static=yes
    Built-in manual: enabled
    Verbose errors: enabled (--disable-verbose)
    SSPI support: no (--enable-sspi)
    ca cert path: ${prefix}/share/curl/curl-ca-bundle.crt

After installing the binary, "curl -V" give this:

curl 7.14.0 (i686-pc-linux-gnu) libcurl/7.14.0 GnuTLS/1.2.3 zlib/1.2.3
libidn/0.5.15
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IDN IPv6 Largefile SSL libz

When I try this command line:

     curl -v https://gmail.google.com/mail

I get this:

     * About to connect() to gmail.google.com port 443
     * Trying 64.233.163.106... connected
     * Connected to gmail.google.com (64.233.163.106) port 443
     * server certificate verification failed. CAfile:
/usr/share/curl/curl-ca-bundle.crt
     * Closing connection #0
     curl: (60) server certificate verification failed. CAfile:
/usr/share/curl/curl-ca-bundle.crt
     [snip...]

so I add the -k switch and got this:

     * About to connect() to gmail.google.com port 443
     * Trying 64.233.163.107... connected
     * Connected to gmail.google.com (64.233.163.107) port 443
     * server certificate verification FAILED
     * common name: gmail.google.com (matched)
     * certificate public key: RSA
     * certificate version: #3
     * subject: C=US,ST=California,L=Mountain View,O=Google
Inc,CN=gmail.google.com
     * start date: Tue, 07 Jun 2005 22:12:57 GMT
     * expire date: Wed, 07 Jun 2006 22:12:57 GMT
     * issuer: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC
CA
     * compression: NULL
     * cipher: AES 256 CBC
     * MAC: SHA
> GET /mail HTTP/1.1
     [snip...]

Repeating the exact same compilation with openssl instead of gnutls
gives me this:

     * About to connect() to gmail.google.com port 443
     * Trying 64.233.163.107... connected
     * Connected to gmail.google.com (64.233.163.107) port 443
     * successfully set certificate verify locations:
     * CAfile: /usr/share/curl/curl-ca-bundle.crt
       CApath: none
     * SSLv2, Client hello (1):
     SSLv3, TLS handshake, Server hello (2):
     SSLv3, TLS handshake, CERT (11):
     SSLv3, TLS handshake, Server finished (14):
     SSLv3, TLS handshake, Client key exchange (16):
     SSLv3, TLS change cipher, Client hello (1):
     SSLv3, TLS handshake, Finished (20):
     SSLv3, TLS change cipher, Client hello (1):
     SSLv3, TLS handshake, Finished (20):
     SSL connection using AES256-SHA
     * Server certificate:
     * subject: /C=US/ST=California/L=Mountain View/O=Google
Inc/CN=gmail.google.com
     * start date: 2005-06-07 22:12:57 GMT
     * expire date: 2006-06-07 22:12:57 GMT
     * common name: gmail.google.com (matched)
     * issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC
CA
     * SSL certificate verify ok.
> GET /mail HTTP/1.1
     [snip...]

The only difference between the configure runs is:

     --without-gnutls --with-ssl=/usr
and
     --without-ssl --with-gnutls=/usr

I'm happy to accept that there may be a problem with the curl ebuild,
but I thought I'd come to the fount of all curl wisdom and get the
official word before filing a Gentoo bug report... Is something missing
from the configure, or is this a known problem fixed in 7.14.1, or just
simply a problem with gnutls??

Ralph Mitchell
Received on 2005-08-29