cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Verify incomplete chain

From: Jan Prachar <jan.prachar_at_gmail.com>
Date: Wed, 13 Apr 2016 15:58:57 +0200

On 13 April 2016 at 15:31, Dan Fandrich <dan_at_coneharvesters.com> wrote:

> On Wed, Apr 13, 2016 at 03:01:15PM +0200, Jan Prachar wrote:
> > I can't figure out the following problem. Maybe some of you could help
> me to
> > understand it.
> >
> > if I compile curl with OpenSSL
> > ./configure --with-ca-path=/etc/ssl/certs
> --with-ca-bundle=/etc/ssl/certs/
> > ca-certificates.crt --with-ssl
> >
> > and then run
> > curl -v https://incomplete-chain.badssl.com
> >
> > I get error that certificate verification failed (unable to get local
> issuer
> > certificate) as expected.
> >
> > But I compile curl with gnutls
> > ./configure --with-ca-path=/etc/ssl/certs
> --with-ca-bundle=/etc/ssl/certs/
> > ca-certificates.crt --without-ssl --with-gnutls
> >
> > And then try the same URL, the server certificate is verified. How it is
> > possible? I checked that the missing CA certificate isn't downloaded
> according
> > to AIA extension. Could be there a bug in gnutls library? (I have version
> > 3.4.10).
>
> What version of curl are you using? It works as expected for me with git
> HEAD
> and gnutls 3.2.21:
>
> curl -v https://incomplete-chain.badssl.com
> * STATE: INIT => CONNECT handle 0x8a0f7f4; line 1402 (connection #-5000)
> * Rebuilt URL to: https://incomplete-chain.badssl.com/
> * Added connection 0. The cache now contains 1 members
> * Trying 104.154.89.105...
> * STATE: CONNECT => WAITCONNECT handle 0x8a0f7f4; line 1455 (connection #0)
> * Connected to incomplete-chain.badssl.com (104.154.89.105) port 443 (#0)
> * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x8a0f7f4; line 1554
> (connection #0)
> * Marked for [keep alive]: HTTP default
> * found 192 certificates in /etc/pki/tls/certs/ca-bundle.crt
> * ALPN, offering http/1.1
> * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x8a0f7f4; line 1568
> (connection #0)
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
> * server certificate verification failed. CAfile:
> /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
> * Marked for [closure]: Failed HTTPS connection
> * multi_done
> * Closing connection 0
> * The cache now contains 0 members
> curl: (60) server certificate verification failed. CAfile:
> /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html

​I found the reason. I found that the missing intermediate CA certificate
from the chain is contained in ​/etc/ssl/certs/0000.crt. Gnutls finds it
because it loads all certificates from files contained in CApath to memory.
OpenSSL fails to find it because it tries to load certificate in the CApath
directory by its hash and c_rehash created symlinks only for the first
certificate in 0000.crt bundle.

Thanks, Jan

>
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> >>> Dan
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-users
> FAQ: https://curl.haxx.se/docs/faq.html
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-13