cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: CURLOPT_SSL_VERIFYPEER issue

From: Ryan Graciano <rmgraci_at_gmail.com>
Date: Mon, 15 Sep 2008 16:25:25 -0500

I installed the curl binaries (7.19.0) and recent OpenSSL (0.9.8h) so
I could cut the PHP binding out of the equation and find the root of
this problem. Here's what I did -

curl -E <my_pem_file> -k -v --url <my_url>

...and here's what curl output:

* About to connect() to <host>
* Trying <ip>... connected
* Connected to <host> (<ip>) port <port> (#0)
* SSL: couldn't set callback!
Enter PEM pass phrase:
* error setting certificate verify locations, continuing anyway:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
* Closing connection #0
curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

It seems like I'm getting this issue from cURL, rather than from the
PHP binding. Isn't -k basically equivalent to VERIFYPEER false? If
so I'd expect that cURL not care whether or not the CA is known. Is
something else going on here that I'm missing?

Thanks!
-Ryan

On Fri, Sep 12, 2008 at 1:17 AM, Dan Fandrich <dan_at_coneharvesters.com> wrote:
> On Thu, Sep 11, 2008 at 02:11:28PM -0500, Ryan Graciano wrote:
>> I'm using cURL with PHP, and I'm trying to connect to a remote server
>> via HTTPS with a certificate that was provided to me. This has worked
>> in the past, but recently it stopped working and I'm seeing this error
>> from curl_error 0
>>
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>
>> I'm actually connecting to a test server, so it's expected that the CA
>> will be unknown, as it's essentially made up. I would like cURL to
>> stop caring about the unknown CA altogether, so I'm setting
>> CURLOPT_SSL_VERIFYPEER to 0. That doesn't seem to be doing anything,
>> though. Shouldn't setting that to 0 solve my problem? Maybe I'm
>> missing something really obvious here. Here's the code that I'm using
>> to debug the issue -
>
> Those options are all you should need with libcurl, but it sounds like
> you're actually using the PHP/CURL binding. This isn't the right forum for
> PHP questions.
>
>>>> Dan
> --
> http://www.MoveAnnouncer.com The web change of address service
> Let webmasters know that your web site has moved
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-09-15