curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Intermediate Certificate

From: Marcionelli Michele <michele.marcionelli_at_math.ethz.ch>
Date: Thu, 6 Dec 2018 22:31:40 +0000

> On 6 Dec 2018, at 23:23, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 6 Dec 2018, Marcionelli Michele wrote:
>
>> I wrote a kind of link-checker in bash using curl and sometimes the check fails - I think - because an incomplete certificate chain. But with a browser the certificate looks good.
>
> 1. That's a broken site as a TLS server isn't suppposed to act like this.

Do you mean that the site has probably been misconfigured?
But why mac Mac's curl works fine?

#curl -v https://www.math.ias.edu/

* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; postalCode=08540; ST=New Jersey; L=Princeton; street=1 Einstein Drive; O=Institute for Advanced Study; OU=School of Mathematics; CN=*.math.ias.edu
* start date: Mar 15 00:00:00 2018 GMT
* expire date: Mar 15 23:59:59 2019 GMT
* subjectAltName: host "www.math.ias.edu" matched cert's "*.math.ias.edu"
* issuer: C=US; ST=MI; L=Ann Arbor; O=Internet2; OU=InCommon; CN=InCommon RSA Server CA
* SSL certificate verify ok.

> 2. Browsers tend to cache intermediate certificates and curl doesn't, which makes them handle missing ones in many cases.
>
> 3. There's a x509 extension called AIA (Authority Information Access) that tells the browser where it can download the extra certficiate for this. This is supported by some browsers if I understand things correctly. curl does not.
>
> --
>
> / daniel.haxx.se
> -----------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-- 
ETH Zurich
Michele Marcionelli
Head of IT Support Group
Department of Mathematics
HG G 32.1
Raemistrasse 101
CH-8092 Zurich
phone +41 44 632 6193
michele.marcionelli_at_math.ethz.ch
https://people.math.ethz.ch/~michele
 * Please consider the environment before printing 
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-12-06