cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: ssl/certificate issue for website

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Fri, 1 Nov 2013 18:03:05 -0500

On Nov 1, 2013, at 10:01 AM, bruce <badouglas_at_gmail.com> wrote:

> trying to do a simple curl for the college site
> curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
> Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
> https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
>
> * About to connect() to isiscc.smc.edu port 443 (#0)
> * Trying 207.151.69.31... connected
> * Connected to isiscc.smc.edu (207.151.69.31) port 443 (#0)
> * Initializing NSS with certpath: /etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
> International Server CA - G3,OU=Terms of use at
> https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
> Network,O="VeriSign, Inc.",C=US'
> * NSS error -8179
> * Closing connection #0
> * Peer certificate cannot be authenticated with known CA certificates
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> I've gotten this on a number of different os/systems.
>
>
> any thoughts??

It works for me using Apple’s curl under Mavericks (7.30.0 w/Secure Transport engine):

> % curl -v "https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791"
> * Adding handle: conn: 0x7fcfab004000
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 0 (0x7fcfab004000) send_pipe: 1, recv_pipe: 0
> * About to connect() to isiscc.smc.edu port 443 (#0)
> * Trying 207.151.69.31...
> * Connected to isiscc.smc.edu (207.151.69.31) port 443 (#0)
> * TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5
> * Server certificate: WWW.SMC.EDU
> * Server certificate: VeriSign Class 3 International Server CA - G3
> * Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5

[snipped HTTP GET and response]

It looks to me like the certificate validation is getting hung up on that certificate in the middle, the “international server CA.” Can you try it with a newer version of the tool? I seem to recall that in the past there were some NSS bugs that were fixed in recent releases.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-02