curl / Mailing Lists / curl-users / Single Mail


Re: Intermediate Certificate

From: Von Hawkins <>
Date: Thu, 6 Dec 2018 18:28:18 -0700

Please pardon the top reply. My mobile email doesn’t easily do inline or bottom reply.

Clients (relying parties) have 3 ways to build the certificate trust chain during path validation:
1. The server (more generally, the entity at the other end) sends the entire chain in the packet with its TLS cert. If so, the client only needs to have the root certificate in it’s trust store.

2. The client trust store can have all necessary CA certificates in the trust store.

3. The intermediate CA cert(s) can be retrieved from the AIA. The root cert should also be available from the AIA (possibly of the intermediate CA certificate) but trust will still fail if the root is not in the trust store.

Many sites have useless AIA links that either don’t have the cert(s), aren’t reachable, or don’t exist. This is a common misconfiguration.

Firefox also allows explicitly trusting a TLS cert without the root. Once done, the server cert section of the Firefox trust store will have the server cert available.

Either Firefox, Chrome, or IE will allow you to examine and export/save all certs needed for the current connection. Start by clicking the padlock in the address bar.

It is likely the browser is working from an entirely different trust store. In the output below, curl is using:
With OpenSSL or the windows crypto tools, you can examine cert.pem (which could be a pem-formatted single cert or a P7B file containing many certain. If it doesn’t have the whole chain, locate the missing cert(s) and add them (if it’s already a P7B file). If it’s a single cert, create a P7B file with OpenSSL crl2p7b it the Windows tools. Then point curl to it.

I think curl can be compiled to use Firefox (Mozilla NSS) and Microsoft CNG trust stores also, but it’s been years since I did any of that. I recall it being much worse easier to create the P7B file. MS certmgr.msc can export its entire trusted intermediate CA certificate and trusted root certificate stores. I think Firefox can too. With MS, you have to make 2 exports and merge them later, if I recall correctly. Once you have one P7B file (really just another bucket format similar to a tar file) MS should let you double click the file and add/export certs via GUI tools.

OpenSSL can create, export from, and add to P7B files.

With all that said, the example below shows successful verification. The TLS protocol agreement appears to have failed.
> * ALPN, server did not agree to a protocol

This is probably from a server using older protocols than the client or vice-versa.

OpenSSL sclient is also a valuable tool for examining trust chains and protocols.

I hope this helps,

 Michele wrote:
>>> I wrote a kind of link-checker in bash using curl and sometimes the check fails - I think - because an incomplete certificate chain. But with a browser the certificate looks good.
>> 1. That's a broken site as a TLS server isn't suppposed to act like this.
> Do you mean that the site has probably been misconfigured?
> But why mac Mac's curl works fine?
> #curl -v
> * Trying
> * Connected to ( port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=US; postalCode=08540; ST=New Jersey; L=Princeton; street=1 Einstein Drive; O=Institute for Advanced Study; OU=School of Mathematics; CN=*
> * start date: Mar 15 00:00:00 2018 GMT
> * expire date: Mar 15 23:59:59 2019 GMT
> * subjectAltName: host "" matched cert's "*"
> * issuer: C=US; ST=MI; L=Ann Arbor; O=Internet2; OU=InCommon; CN=InCommon RSA Server CA
> * SSL certificate verify ok.
>> 2. Browsers tend to cache intermediate certificates and curl doesn't, which makes them handle missing ones in many cases.
>> 3. There's a x509 extension called AIA (Authority Information Access) that tells the browser where it can download the extra certficiate for this. This is supported by some browsers if I understand things correctly. curl does not.
>> --
>> /
>> -----------------------------------------------------------
>> Unsubscribe:
>> Etiquette:
> --
> ETH Zurich
> Michele Marcionelli
> Head of IT Support Group
> Department of Mathematics
> HG G 32.1
> Raemistrasse 101
> CH-8092 Zurich
> phone +41 44 632 6193
> * Please consider the environment before printing
> -----------------------------------------------------------
> Unsubscribe:
> Etiquette:

Received on 2018-12-07