Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

CA Bundle problem

From: Devel <dev002_at_pas-world.com>
Date: Tue, 08 Mar 2011 13:28:57 +0100

Hello,

After some software update I see that cert validation do not work in PHP
program.

After some test I do this:

/***********************************************************/
[root_at_mail apache]# openssl s_client -CAfile /etc/pki/tls/cert.pem -host
www.paypal.com -port 443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class
3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
Delaware, businessCategory = "V1.0, Clause 5.(b)", serialNumber =
3014267, C = US, postalCode = 95131-2021, ST = California, L = San Jose,
street = 2211 N 1st St, O = "PayPal, Inc.", OU = Information Systems, CN
= www.paypal.com
verify return:1 

---
Certificate chain
 0
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=V1.0, Clause 5.(b)/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=Information Systems/CN=www.paypal.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended
Validation SSL CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended
Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGSzCCBTOgAwIBAgIQdyH9HP/pEHLCT0BzXfdhQTANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
MDAzMTEwMDAwMDBaFw0xMTA0MDEyMzU5NTlaMIIBDzETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEbMBkGA1UEDxMSVjEuMCwg
Q2xhdXNlIDUuKGIpMRAwDgYDVQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEG
A1UEERQKOTUxMzEtMjAyMTETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQI
U2FuIEpvc2UxFjAUBgNVBAkUDTIyMTEgTiAxc3QgU3QxFTATBgNVBAoUDFBheVBh
bCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEXMBUGA1UEAxQO
d3d3LnBheXBhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
pngf2K+3LkKrofh6DyYDY7kCAc+DlWwWulNDjP9XIAWXUyq7U6x/hgaw74WuNNsc
g8lnulY4cKTMHtN8mbOnE+ersZtepgM7arnMLzK6LdzhuZUpuopQ5N93dnnIk3pl
wsWhSc5eFVV5t4AbXUbx1b6kQpofllPrrnHjZNtPSbq3kcpwJkSxx20a7X6frTgh
3fFCUBy2h3FSEkUwInI5j4J3gAmTpzKrPuyYk3G58K6Fe1aD82qfaxAqrfn9ERXQ
HBWsflNDRcyPJmCqZCFBb2uBmsVaFd97z56FegqbnE6IOiVQoMsx7/vpxtgU73aB
DNN0b3Ha+i9gpJOxfUKRAgMBAAGjggHzMIIB7zAJBgNVHRMEAjAAMB0GA1UdDgQW
BBSqOCe3+r/8ZBTccVZFGG5Nq2fLeDALBgNVHQ8EBAMCBaAwQgYDVR0fBDswOTA3
oDWgM4YxaHR0cDovL0VWU2VjdXJlLWNybC52ZXJpc2lnbi5jb20vRVZTZWN1cmUy
MDA2LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMHwG
CCsGAQUFBwEBBHAwbjAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9jc3Au
dmVyaXNpZ24uY29tMD0GCCsGAQUFBzAChjFodHRwOi8vRVZTZWN1cmUtYWlhLnZl
cmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFww
WjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweL
IQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkq
hkiG9w0BAQUFAAOCAQEALNE4IvT0MOOfRyk1iCL3yTm2H8OS8bEQmnMXpKMDVi6Z
kxcGS39TuYdy9WEwpEj0Cl+jderSOWFwBJlUMoRJwIrBQmim2M9zJLzrKe53mqyR
yVAN3voydFuhiSmuVQSXLoEpiP50jx1gw3qj9lyPwj74xesLjFN/FE58X4QurJt2
EE25F7AEyl50xDWQajjs0KMXQ/2yykE0JRrl7WWbUu7UXcXM/J37qjpzk/KVwNNm
8A/x8ADKfDCdk1I1kSe97etK/RYZ+OLyf9jcplAIXlcGDPN/bjgnxyHdVFWVQnFR
RIJlCglPRd7Sk4dqxpYSGliYBLOICZY73NePKutyyQ==
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=V1.0, Clause 5.(b)/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=Information Systems/CN=www.paypal.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended
Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4536 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
EA4991E70877565D872B0F534798C218459C19A9A52213F08AD5D5600465F575
    Session-ID-ctx: 
    Master-Key:
19C1A23D7C851C3D485FF491838BEBC613629876E56DEE386D8BBBE65EB169B366FFA2063266AC4E40E07FA1484F1292
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1299583255
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
/*********************************************************************/
Result is OK
/*********************************************************************/
[root_at_mail apache]# curl -v --cacert /etc/pki/tls/cert.pem
https://www.paypal.com
* About to connect() to www.paypal.com port 443 (#0)
*   Trying 66.211.169.2... connected
* Connected to www.paypal.com (66.211.169.2) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/cert.pem
  CApath: none
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
Extended Validation SSL CA,OU=Terms of use at
https://www.verisign.com/rpa (c)06,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
* NSS error -8049
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
/*************************************************************************/
Result is FAIL.
Where is the problem?
openssl-1.0.0d-1..x86_64
libcurl-7.21.0-6..x86_64
-- 
Ordenadores, componentes y software: http://www.1pc.es/
Sistemas IT: http://www.precioventa.com/
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2011-03-08