curl-users
Re: Verify incomplete chain
Date: Wed, 13 Apr 2016 15:31:09 +0200
On Wed, Apr 13, 2016 at 03:01:15PM +0200, Jan Prachar wrote:
> I can't figure out the following problem. Maybe some of you could help me to
> understand it.
>
> if I compile curl with OpenSSL
> ./configure --with-ca-path=/etc/ssl/certs --with-ca-bundle=/etc/ssl/certs/
> ca-certificates.crt --with-ssl
>
> and then run
> curl -v https://incomplete-chain.badssl.com
>
> I get error that certificate verification failed (unable to get local issuer
> certificate) as expected.
>
> But I compile curl with gnutls
> ./configure --with-ca-path=/etc/ssl/certs --with-ca-bundle=/etc/ssl/certs/
> ca-certificates.crt --without-ssl --with-gnutls
>
> And then try the same URL, the server certificate is verified. How it is
> possible? I checked that the missing CA certificate isn't downloaded according
> to AIA extension. Could be there a bug in gnutls library? (I have version
> 3.4.10).
What version of curl are you using? It works as expected for me with git HEAD
and gnutls 3.2.21:
curl -v https://incomplete-chain.badssl.com
* STATE: INIT => CONNECT handle 0x8a0f7f4; line 1402 (connection #-5000)
* Rebuilt URL to: https://incomplete-chain.badssl.com/
* Added connection 0. The cache now contains 1 members
* Trying 104.154.89.105...
* STATE: CONNECT => WAITCONNECT handle 0x8a0f7f4; line 1455 (connection #0)
* Connected to incomplete-chain.badssl.com (104.154.89.105) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x8a0f7f4; line 1554 (connection #0)
* Marked for [keep alive]: HTTP default
* found 192 certificates in /etc/pki/tls/certs/ca-bundle.crt
* ALPN, offering http/1.1
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x8a0f7f4; line 1568 (connection #0)
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
* Marked for [closure]: Failed HTTPS connection
* multi_done
* Closing connection 0
* The cache now contains 0 members
curl: (60) server certificate verification failed. CAfile: /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
>>> Dan
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-13