Hi,

I am getting NSS -12286 error while trying to load the https page using
the ca certificate using cacertinpem.c curl c code.
i am using cacert.pem file in the code alog with path. but same thing is
working when i try using curl -v "https://sampleserve.com:443",in this
case ssl is taking default ca path as "/etc/tls/certs/ca.budle.crt"

But this c code is not working for both default ca location and external
path selection of ca aswell.

What is the reason for this error(NSS -12286).

Error:
* About to connect() to fiservices.sterlingbankng.com port 443 (#0)
* Trying 1.1.1.1... * Connection timed out
* Trying 1.1.1.2... * connected
* Connected to fiservices.sterlingbankng.com (1.1.1.2) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: ./cacert.pem
   CApath: ./cacert.pem
* NSS error -12286
* Error in TLS handshake, trying SSLv3...
> GET /CanFI/ HTTP/1.1
Host: sampleserver.com
Accept: */*

* Connection died, retrying a fresh connect
* Closing connection #0
* Issue another request to this URL: 'https://sampleserver.com'
* About to connect() to sampleserver.com port 443 (#0)
* Trying 1.1.1.1... * Connection timed out
* Trying 1.1.1.2... * connected
* Connected to sampleserver.com (1.1.1.2) port 443 (#0)
* TLS disabled due to previous handshake failure
* CAfile: ./cacert.pem
   CApath: ./cacert.pem
* NSS error -12286
* Closing connection #0
* SSL connect error

Sample code:

#include <openssl/ssl.h>
#include <curl/curl.h>
#include <stdio.h>

size_t writefunction( void *ptr, size_t size, size_t nmemb, void *stream)
{
   fwrite(ptr,size,nmemb,stream);
   return(nmemb*size);
}

static CURLcode sslctx_function(CURL * curl, void * sslctx, void * parm)
{

   X509_STORE * store;
   X509 * cert=NULL;
   BIO * bio;

char * mypem = //public certificate
"-----BEGIN CERTIFICATE-----\n"\

"-----END CERTIFICATE-----\n";

}

int main(void)
{

   CURL * ch;
   CURLcode rv;

   rv=curl_global_init(CURL_GLOBAL_ALL);
   ch=curl_easy_init();
   rv=curl_easy_setopt(ch,CURLOPT_VERBOSE, 1L);
   rv=curl_easy_setopt(ch,CURLOPT_HEADER, 0L);
   rv=curl_easy_setopt(ch,CURLOPT_NOPROGRESS, 1L);
   rv=curl_easy_setopt(ch,CURLOPT_NOSIGNAL, 1L);
   rv=curl_easy_setopt(ch,CURLOPT_WRITEFUNCTION, *writefunction);
   rv=curl_easy_setopt(ch,CURLOPT_WRITEDATA, stdout);
   rv=curl_easy_setopt(ch,CURLOPT_HEADERFUNCTION, *writefunction);
   rv=curl_easy_setopt(ch,CURLOPT_WRITEHEADER, stderr);
   rv=curl_easy_setopt(ch,CURLOPT_SSLCERTTYPE,"PEM");
   rv=curl_easy_setopt (ch, CURLOPT_CAPATH, "./cacert.pem" );
   rv=curl_easy_setopt (ch, CURLOPT_CAINFO, "./cacert.pem" );
   rv=curl_easy_setopt(ch,CURLOPT_SSL_VERIFYPEER,1L);
   rv=curl_easy_setopt(ch, CURLOPT_URL, "https://1.1.1.1:443");
   rv=curl_easy_perform(ch);
   if (rv==CURLE_OK)
     printf("*** transfer succeeded ***\n");
   else
     printf("*** transfer failed ***\n");
   rv=curl_easy_setopt(ch,CURLOPT_SSL_CTX_FUNCTION, *sslctx_function);
   rv=curl_easy_perform(ch);
   if (rv==CURLE_OK)
     printf("*** transfer succeeded ***\n");
   else
     printf("*** transfer failed ***\n");

   curl_easy_cleanup(ch);
   curl_global_cleanup();
   return rv;
}

Thanks

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-05-22