cURL / Mailing Lists / curl-users / Single Mail

curl-users

certificate verify failed

From: Josse van Dobben de Bruyn <jossedobben_at_hotmail.com>
Date: Wed, 8 Jul 2009 01:36:20 +0000

Hi there,

 

As I'm new to cURL, I've been trying to use cURL to upload a file to my webserver using FTP over SSL/TLS for quite a while, but I still can't get it to work. Perhaps you can help me out. I'm using a binary version of cURL 7.19.5 with SSL on Windows XP, which I installed in C:\Program Files\cURL\.

 

The problem seems to be that the server certificate cannot be verified. I know this means I have to check http://curl.haxx.se/docs/sslcerts.html, but that didn't help either (well, using --insecure helps, but that's not a good solution since it is insecure - it did however make all problems go away). I downloaded the server certificate and verified it with OpenSSL using the same CA bundle as used by cURL (that is, C:\Program Files\cURL\curl-ca-bundle.crt, which I extracted from Firefox as suggested). The result was that the certificate was OK (Firefox and IE8 do also accept to the certificate). However, when I try to use cURL to upload a file to the server, I get the famous error: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

 

Trying to figure out what the problem is, I also tried to use the s_client of OpenSSL. However, this program crashed over and over again, making me send the usual error report to Microsoft but not giving me any useful information at all. I even tried building OpenSSL myself (while the first time I just used a binary), but even now I had the same problem, so I suppose I cannot use s_client to assist me in solving this problem.

However, let's stay on topic, shall we? You're probably wondering what my input and output is. Well, here it is:

 

"C:\Program Files\cURL\curl.exe" -T "test.htm" -u "user:pass" --ftp-ssl-control -v --tlsv1 -Q "-SITE CHMOD 755 test.htm" *host*

* About to connect() to *host* port 21 (#0)
* Trying *IP*... connected
* Connected to *host* (*IP*) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [TLS] ----------
< 220-You are user number 1 of 50 allowed.
< 220-Local time is now 03:14. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
* CAfile: C:\Program Files\cURL\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS alert, Server hello (2):
} [data not shown]
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

 

 

That's all folks. It's quite a story, isn't it? Anyway, I also tried some other options like --sslv2 and --sslv3 and leaving out a specific SSL/TLS version, but they all had the same output, except for --sslv3, which told me (right after the first Server hello(2) handshake):

curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

 

After two days of misery (and a lot of coffe), I'm getting really desparate right now. Does anyone know what's going wrong and what might be the solution? I would really appreciate any help.

 

Regards,

Josse van Dobben de Bruyn

_________________________________________________________________
De grappigste filmpjes vind je op MSN Video!
http://video.msn.com/video.aspx?mkt=nl-nl

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-08