cURL / Mailing Lists / curl-users / Single Mail

curl-users

[re-post] how to make sure that a site's certificate hasn't been revoked?

From: Claudiu <claudiu_sz_at_yahoo.com>
Date: Wed, 16 Apr 2014 07:12:39 -0700 (PDT)

[Sorry for the formatting in the earlier mail, forgot to turn on "plain text" on my e-mail client. Hope it works better this time...]

Let's say I want to download the google page with curl, but want to make sure that the certificate for google.com hasn't been revoked.
So I tried the following command:

$ curl https://www.google.com --cacert GeoTrust_Global_CA.pem --crlfile gtglobal.pem -v

, where GeoTrust_Global_CA.pem is the root certificate of Google's CA (GeoTrust) and gtglobal.pem is the CRL (certificate revocation list) associated with the certificate.

The problem is I get the following error:

* About to connect() to www.google.com port 443 (#0)
*�� Trying 81.24.29.106... connected
* successfully set certificate verify locations:
*�� CAfile: GeoTrust_Global_CA.pem
� CApath: /etc/ssl/certs
* successfully load CRL file:
*�� CRLfile: gtglobal.pem
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

I didn't expect an error, since Google should have a valid certificate.

Do you know how I could issue a curl command that does this correctly?

P.S.: If you're wondering how I got those specific files (GeoTrust_Global_CA.pem and gtglobal.pem) from the curl command, this is how I proceeded:
- I first looked at what CA issued the certificate for https://www.google.com. Turns out it is GeoTrust Global CA
- I downloaded the GeoTrust Global CA root certificate from their website: https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
- I downloaded the corresponding CRL (certificate revocation list) from here: http://crl.geotrust.com/crls/gtglobal.crl

Thanks

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-16

This message: [ Message body ]
Next message: Sandeep Sastry: "Re: Uploding large files on Windows fails consistently"
Previous message: Claudiu: "how to make sure that a site's certificate hasn't been revoked?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]