cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 9 Mar 2011 10:35:37 +0100 (CET)

On Tue, 8 Mar 2011, Don Cohen wrote:

> > libcurl only provides a single error string so there's no distinction, and
> > also that error is not coming from the server. It is an error that OpenSSL
> > reports when communicating with the server, and libcurl reports that as it
> > might help.
>
> "an error that OpenSSL reports when communicating with the server" is
> ambiguous here. Can you please explain?

The communication "chain" goes like this: curl => libcurl => OpenSSL. In this
case, OpenSSL returns an error and libcurl stores that error in the error
buffer and curl gets to see it and show it to the user.

> What exactly is this error? What is the bad certificate? Is the error in
> trying to READ the certificate, as the message suggests?

I don't think it suggests that but I think it rejects the certificate for some
reason.

> I believe the problem is really that the server is complaining about the
> certificate. I suspect that's what the "alert" is all about -

I agree.

> In any case I wish the error message could tell me enough about the
> problem so I don't end up with all these questions.

I would too. You're very welcome to help us improve this!

> A url that explains the errors in detail would be particularly useful.

I agree, but I don't know who would write that page and I'm not even sure the
error messages are stable enough to even remain the same over different
versions etc before we have improved them to not "pass through" the cryptic
OpenSSL messages.

> > It does: "See --cert and --key to specify them independently."
> I don't see this in my man page.

Then your man page is >4 years old!

> I think it should say something like
> -E/--cert <certificate[:password]>
> (HTTPS) Tells curl to use the specified certificate file when
> getting a file with HTTPS. In this case you also have to
> supply your private key. Normally this is done with --key, but
> for backward compatibility, it is also possible to concatenate
> the private key and the certificate

Ah yes, thanks for this suggestion. I'll use something like that...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-03-09