cURL / Mailing Lists / curl-users / Single Mail

curl-users

Verify incomplete chain

From: Jan Prachar <jan.prachar_at_gmail.com>
Date: Wed, 13 Apr 2016 15:01:15 +0200

Hi,

I can't figure out the following problem. Maybe some of you could help me
to understand it.

if I compile curl with OpenSSL
./configure --with-ca-path=/etc/ssl/certs
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt --with-ssl

and then run
curl -v https://incomplete-chain.badssl.com

I get error that certificate verification failed (unable to get local
issuer certificate) as expected.

But I compile curl with gnutls
./configure --with-ca-path=/etc/ssl/certs
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt --without-ssl
--with-gnutls

And then try the same URL, the server certificate is verified. How it is
possible? I checked that the missing CA certificate isn't downloaded
according to AIA extension. Could be there a bug in gnutls library? (I have
version 3.4.10).

Thanks for help!

Jan

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-13