curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: A error log when used the curl command tool in embedded linux device

From: Ray Satiro via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 14 Dec 2016 02:49:33 -0500

On 12/13/2016 9:59 PM, 杨俊 wrote:
> 2. test it in my device, and it was NG.
> -----log -----------------
> /tmp # ./curl -v --cacert cacert-2016-11-02.pem https://curl.haxx.se
> * Rebuilt URL to: https://curl.haxx.se/
> * Trying 80.67.6.50...
> * TCP_NODELAY set
> * Connected to curl.haxx.se <http://curl.haxx.se> (80.67.6.50) port
> 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: cacert-2016-11-02.pem
> CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Curl_http_done: called premature == 1
> * stopped the pause stream!
> * Closing connection 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> ---------------------------------------
> my version
> ------------log-------------
> /tmp # ./curl -V
> curl 7.51.0 (arm-hisiv400-linux-gnueabi) libcurl/7.51.0 OpenSSL/1.1.0c
> nghttp2/1.17.0
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtsp smb smbs smtp smtps telnet tftp
> Features: IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP HTTP2 UnixSockets
> /tmp #

that's interesting. can someone with libcurl/7.51.0 and OpenSSL/1.1.0c
try to connect to curl.haxx.se with cacert-2016-11-02.pem? I am still on
the 1.0.2 series.

>
> ​/tmp # ./openssl s_client -connect curl.haxx.se:443
> <http://curl.haxx.se:443> -CApath /tmp/cacert-2016-11-
> 02.pem
> CONNECTED(00000003)
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=anja.haxx.se <http://anja.haxx.se>
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
>
> Sorry for my stupid actions again. >"<
> Is this email etiquette?

As I mentioned you'll need -servername. Also you are using -CApath but
you should be using -CAfile. 'etiquette' is as it's described in the
link I gave you, you quote the relevant content and put your reply below
the quote.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-12-14