cURL / Mailing Lists / curl-users / Single Mail


Re: cURL and Iceweasel disagree about TLS certificate validity, despite same CA

From: Petr Pisar <>
Date: Sat, 28 May 2016 20:07:15 +0200

On Sat, May 28, 2016 at 05:36:00PM +0100, Sam Kuper wrote:
> in relation to the URL .

By the way, the server does not support TLS1.2 or TLS1.1. It understands
TLS1.0 only. That can be considered insecure by some implementations.

> Visiting using Iceweasel
> results in no errors or warnings.

Firefox uses NSS cryptographic library.

> $ curl -V
> curl 7.38.0 (i586-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1k
> zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Your curl uses OpenSSL.

NSS and OpenSSL have different algorithm for traversing certificates in the
chain of trust. If I remember correctly, OpenSSL is not able to find some
longer chain paths. This is especially true if a server does not send all
certificates of the trust chain.

Try to connect by openssl tool (openssl s_client -connect It should display similar error as your curl.

-- Petr

List admin:

Received on 2016-05-28