curl-users
Re: curl https hang problem
Date: Thu, 05 Oct 2006 19:54:08 -0400
>> But, when I tested curl with https, it simply hangs, while http works
fine.
>> What may have gone wrong here?
>
>Hard to tell, you need to do some debugging around curl's use of the OpenSSL
>functions. Could it be a bad random device configured?
Dan, Good hunch. I picked the wrong random device - random instead of urandom.
Now I'm getting "error:14090086...". Could you translate that into
simpler terms?
Btw, the https test server (see clip below) has a valid and current Thawte
SSL cert.
----------------------------------------------------------------------------------------------------------------
# cd /mnt/curl/bin
# ./curl -v 'https://b2b.adth.com'
* About to connect() to b2b.adth.com port 443
* Trying 67.90.130.174... connected
* Connected to b2b.adth.com (67.90.130.174) port 443
* successfully set certificate verify locations:
* CAfile: /mnt/curl/share/curl/curl-ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
faild* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
faildMore details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Sid
Received on 2006-10-06