cURL / Mailing Lists / curl-users / Single Mail


Re: cURL and Iceweasel disagree about TLS certificate validity, despite same CA

From: Ray Satiro via curl-users <>
Date: Sat, 28 May 2016 14:10:30 -0400

On 5/28/2016 12:36 PM, Sam Kuper wrote:
> $ curl --cacert /etc/ssl/certs/GeoTrust_Global_CA.pem --head
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here:
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> My primary question is: **what is causing this inconsistency between
> cURL and Iceweasel?**
> My secondary question is: **does this inconsistency mean that there is
> a bug in Iceweasel and/or a bug in cURL?**

The server is at fault because it does not send the
intermediate certificate required to complete the chain, 'RapidSSL
SHA256 CA - G3' which is signed by your GeoTrust CA. You can post this
as an answer to your stackoverflow question.

It's not a bug in Iceweasel or curl, they just behave differently.
Iceweasel caches intermediate certificates when it connects to websites,
and curl doesn't do that. (In some cases the SSL backend being used by
curl may do it. For example OpenSSL doesn't but WinSSL does.) So what
has happened here is Iceweasel cached the intermediate RapidSSL
certificate when it connected to some other website that sent it as part
of that website's certificate chain. Then when you use Iceweasel to
connect to mensa it checked its certificate cache since the server
didn't send the right certificate, and found a way to complete the chain.

To solve this you can contact the website owner and ask them to fix it
(I think unlikely given the other serious problems in the ssl report
[1]) or you can add the RapidSSL intermediate certificate to your
certificate bundle [2].


List admin:
Received on 2016-05-28