cURL / Mailing Lists / curl-users / Single Mail

curl-users

how to make sure that a site's certificate hasn't been revoked?

From: Claudiu <claudiu_sz_at_yahoo.com>
Date: Wed, 16 Apr 2014 06:28:37 -0700 (PDT)

Let's say I want to download the google page with curl, but want to make sure that the certificate for google.com hasn't been revoked. So I tried the following command: $ curl https://www.google.com --cacert GeoTrust_Global_CA.pem --crlfile gtglobal.pem -v , where GeoTrust_Global_CA.pem is the root certificate of Google's CA (GeoTrust) and gtglobal.pem is the CRL (certificate revocation list) associated with the certificate. The problem is I get the following error: * About to connect() to www.google.com port 443 (#0) *   Trying 81.24.29.91... connected * successfully set certificate verify locations: *   CAfile: GeoTrust_Global_CA.pem   CApath: /etc/ssl/certs * successfully load CRL file: *   CRLfile: gtglobal.pem * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html I didn't expect an error, since Google should have a valid certificate. Do you know how I could issue a curl command that does this correctly? P.S.: If you're wondering how I got those specific files (GeoTrust_Global_CA.pem and gtglobal.pem) from the curl command, this is how I proceeded: - I first looked at what CA issued the certificate for https://www.google.com. Turns out it is GeoTrust Global CA - I downloaded the GeoTrust Global CA root certificate from their website: https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem - I downloaded the corresponding CRL (certificate revocation list) from here: http://crl.geotrust.com/crls/gtglobal.crl Thanks

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-16