cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: cURL and Iceweasel disagree about TLS certificate validity, despite same CA

From: Sam Kuper <sam.kuper_at_uclmail.net>
Date: Sat, 28 May 2016 21:21:19 +0100

On 28/05/2016, Petr Pisar <petr.pisar_at_atlas.cz> wrote:
> On Sat, May 28, 2016 at 05:36:00PM +0100, Sam Kuper wrote:
>> Visiting https://profile.mensa.org.uk/contact.aspx using Iceweasel
>> results in no errors or warnings.
>
> Firefox uses NSS cryptographic library.
>
> Your curl uses OpenSSL.
>
> NSS and OpenSSL have different algorithm for traversing certificates in the
> chain of trust. If I remember correctly, OpenSSL is not able to find some
> longer chain paths. This is especially true if a server does not send all
> certificates of the trust chain.
>
> Try to connect by openssl tool (openssl s_client -connect
> profile.mensa.org.uk:https). It should display similar error as your curl.

On 28/05/2016, Ray Satiro via curl-users <curl-users_at_cool.haxx.se> wrote:
> On 5/28/2016 12:36 PM, Sam Kuper wrote:
>> My primary question is: **what is causing this inconsistency between
>> cURL and Iceweasel?**
>>
>> My secondary question is: **does this inconsistency mean that there is
>> a bug in Iceweasel and/or a bug in cURL?**
>
> The server profile.mensa.org.uk is at fault because it does not send the
> intermediate certificate required to complete the chain, 'RapidSSL
> SHA256 CA - G3' which is signed by your GeoTrust CA. You can post this
> as an answer to your stackoverflow question.
>
> It's not a bug in Iceweasel or curl, they just behave differently.
> Iceweasel caches intermediate certificates when it connects to websites,
> and curl doesn't do that. (In some cases the SSL backend being used by
> curl may do it. For example OpenSSL doesn't but WinSSL does.) So what
> has happened here is Iceweasel cached the intermediate RapidSSL
> certificate when it connected to some other website that sent it as part
> of that website's certificate chain. Then when you use Iceweasel to
> connect to mensa it checked its certificate cache since the server
> didn't send the right certificate, and found a way to complete the chain.
>
> To solve this you can contact the website owner and ask them to fix it
> (I think unlikely given the other serious problems in the ssl report
> [1]) or you can add the RapidSSL intermediate certificate to your
> certificate bundle [2].
>
> [1]: https://www.ssllabs.com/ssltest/analyze.html?d=profile.mensa.org.uk
> [2]:
> https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO26457

On 28/05/2016, dev_user <dev_at_cor0.com> wrote:
> $ openssl s_client -connect profile.mensa.org.uk:443 -tls1
> [...]
>
> looks like a borked site.

Many thanks to all three of you for your help. It is a long time since
I encountered a certificate validation error using cURL!

I had already emailed the site admins to encourage them to ditch IIS
6.0 and to force HTTPS. Now that it's clear the server is at fault for
the cURL certificate validation error, and given that
profile.mensa.org.uk (and indeed other subdomains of mensa.org.uk)
fail the Qualys SSL Labs assessment, I will write to the site admins
again, to encourage them to improve the HTTPS implementation
site-wide.
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-28