Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Intermediate Certificate

From: Marcionelli Michele <michele.marcionelli_at_math.ethz.ch>
Date: Thu, 6 Dec 2018 22:31:40 +0000

> On 6 Dec 2018, at 23:23, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 6 Dec 2018, Marcionelli Michele wrote:
>
>> I wrote a kind of link-checker in bash using curl and sometimes the check fails - I think - because an incomplete certificate chain. But with a browser the certificate looks good.
>
> 1. That's a broken site as a TLS server isn't suppposed to act like this.

Do you mean that the site has probably been misconfigured?
But why mac Mac's curl works fine?

#curl -v https://www.math.ias.edu/

* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; postalCode=08540; ST=New Jersey; L=Princeton; street=1 Einstein Drive; O=Institute for Advanced Study; OU=School of Mathematics; CN=*.math.ias.edu
* start date: Mar 15 00:00:00 2018 GMT
* expire date: Mar 15 23:59:59 2019 GMT
* subjectAltName: host "www.math.ias.edu" matched cert's "*.math.ias.edu"
* issuer: C=US; ST=MI; L=Ann Arbor; O=Internet2; OU=InCommon; CN=InCommon RSA Server CA
* SSL certificate verify ok.

> 2. Browsers tend to cache intermediate certificates and curl doesn't, which makes them handle missing ones in many cases.
>
> 3. There's a x509 extension called AIA (Authority Information Access) that tells the browser where it can download the extra certficiate for this. This is supported by some browsers if I understand things correctly. curl does not.
>
> --
>
> / daniel.haxx.se
> -----------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html 

-- 
ETH Zurich
Michele Marcionelli
Head of IT Support Group
Department of Mathematics
HG G 32.1
Raemistrasse 101
CH-8092 Zurich
phone +41 44 632 6193
michele.marcionelli_at_math.ethz.ch
https://people.math.ethz.ch/~michele
 * Please consider the environment before printing 
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-12-06