curl-users
curl --cacert doesn't work...
Date: Wed, 13 Aug 2014 21:12:14 +0200
Hi,
curl 7.21.7 for OpenWrt has a bug.
I saved the server certificate from dtdns.com.
openssl s_client -connect dtdns.com:443
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgIQJThbzaGldp+nET3eK30oEzANBgkqhkiG9w0BAQUFADBZ
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
MScwJQYDVQQDEx5OZXR3b3JrIFNvbHV0aW9ucyBEViBTZXJ2ZXIgQ0EwHhcNMTIw
NDI4MDAwMDAwWhcNMTYwNDI4MjM1OTU5WjBdMSEwHwYDVQQLExhEb21haW4gQ29u
dHJvbCBWYWxpZGF0ZWQxIDAeBgNVBAsTF25zUHJvdGVjdCBTZWN1cmUgWHByZXNz
MRYwFAYDVQQDEw13d3cuZHRkbnMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu2HGjPVt4sAfPRoUVnB1XUZFxpFgGGFIkNIsg6zVG51/4dsU5mBV
+Ar3vVdK86zo7Y2ILp6bPh3adwpimBpZESUC6CmFE81PLGo3EaYv0wHUxgikhkgf
E2JhLvJUr/OuTzNtI0xbnQQMYJZu4DmIYm0qKSCucJo8Tg9Atn7HefyOoO0DdC6Q
PCp5quh3x9NOzm0Mip56BL9J5bMJo+6SZgx82N4zCkjc1dU0LZNsM+b5YTbUAN6T
oEauDFQfpI5FVLjvh7Gzv+lBPG4KLFOPdhUebQ8s7ZAsQTjX+ZuTvqtrmZbIO9rb
l8oUBmOVMFBJ24Dm1cFkMXmmz7owG9DKdwIDAQABo4IBzjCCAcowHwYDVR0jBBgw
FoAUWNglkqRVWm7Zo9GjfAyqBCFxLmAwHQYDVR0OBBYEFAJqD4oqiwRDOfl1xbJR
Ro+OyjjDMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHSAEZDBiMGAGDCsGAQQBhg4BAgEJATBQ
ME4GCCsGAQUFBwIBFkJodHRwOi8vd3d3Lm5ldHdvcmtzb2x1dGlvbnMuY29tL2xl
Z2FsL1NTTC1sZWdhbC1yZXBvc2l0b3J5LWNwcy5qc3AwSAYDVR0fBEEwPzA9oDug
OYY3aHR0cDovL2NybC5uZXRzb2xzc2wuY29tL05ldHdvcmtTb2x1dGlvbnNEVlNl
cnZlckNBLmNybDB6BggrBgEFBQcBAQRuMGwwQwYIKwYBBQUHMAKGN2h0dHA6Ly93
d3cubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zRFZTZXJ2ZXJDQS5jcnQw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLm5ldHNvbHNzbC5jb20wGAYDVR0RBBEw
D4INd3d3LmR0ZG5zLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAKN+hFUT/S08uumKa
ULxAhuWUPh+wN+mR+P/3m8NgW7XP2KT5cauJAZL6hkuYZpP1Jdi3jTWzxqVFHi6I
ZtSLmNveo2bHQe8yvTWdUDPVxf16rAebO5vL4FXqfVX/Zbt6WBtav1Aon3tRFFFf
eutML/iv1zyt5r926mJLK9/f54YGomVLb1pE7w/z3iC+6F/UQAOKM9bii5XX5ZNk
qRiznqJdKDSiDvZNb7OvVcT86idCodg+POLOJSM4hpN9wUnCBdZqesL5pV95hctI
2h2vzoDAZNaVgaJjwJ9wxl/UvE8hfEZjFgmMc5JYxfYP0Rn2wtcdUa/2Jciqv2A3
s1tC8A==
-----END CERTIFICATE-----
Then I tried this on Ubuntu:
Ubuntu:
user_at_PC:~$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
user_at_PC:~$
user@PC:~$ curl --cacert DTDNS.crt -X GET 'https://www.dtdns.com/api/autodns.cfm?id=....&pw=....&ip=....'
It works - curl checks if the server certificate is the same like.
Then I tried the same on OpenWrt 10.03.1, r29592:
root_at_Router:~# curl --version
curl 7.21.7 (mips-openwrt-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8r zlib/1.2.3
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smtp smtps tftp
Features: IPv6 Largefile NTLM SSL libz
root_at_Router:~#
root@Router:/etc# curl --cacert DTDNS.crt -X GET 'https://www.dtdns.com/api/autodns.cfm?id=....&pw=....&ip=....'
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:lib(20):func(144):reason(134)
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root_at_Router:/etc#
When I use -k it works but I want the more secure method! :-)
Best Regards,
Manuela
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-13