Hi all,

Thanks for looking into my problem.

I am testing SSL connection on different machine when
I encountered different result using the same
libcurl(7.14.0) and CA bundle (cacert.pem).

Using curl.7.14.0 Win32 (with-ssl) binary on windows
machine, I was able to connect to
'https://sourceforge.net/' with SSL certificate
authenthicated. cacert.pem was downloaded on 21/7/05

curl --cacert cacert.pem --proxy 192.168.0.18:8080 -v
https://sourceforge.net/

Below is the reply,

* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: cacert.pem
  CApath: none
* SSLv2, Client hello (1):
 SSLv3, TLS handshake, Server hello (2):
 SSLv3, TLS handshake, CERT (11):
 SSLv3, TLS handshake, Server key exchange (12):
 SSLv3, TLS handshake, Server finished (14):
 SSLv3, TLS handshake, Client key exchange (16):
 SSLv3, TLS change cipher, Client hello (1):
 SSLv3, TLS handshake, Finished (20):
 SSLv3, TLS change cipher, Client hello (1):
 SSLv3, TLS handshake, Finished (20):
 SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject:
/C=US/O=sourceforge.net/OU=https://services.choicepoint.net/ge
t.jsp?3754508056/OU=See www.geotrust.com/resources/cps
(c)04/OU=Domain Control V
alidated - QuickSSL(R)/CN=sourceforge.net
* start date: 2005-03-03 00:09:04 GMT
* expire date: 2006-05-02 23:09:04 GMT
* common name: sourceforge.net (matched)
* issuer: /C=US/O=Equifax Secure
Inc./CN=Equifax Secure Global eBusiness
CA-1
* SSL certificate verify ok.
>.......

Everything is okay

Then i program using curl-7.14.0 in a Linux machine
with the following codes to do a SSL connection and
using the exact copy of cacert.pem and in the correct
directory.

{
        CURL *curl;
        CURLcode res;
        char error[CURL_ERROR_SIZE];
        
        curl_global_init(CURL_GLOBAL_DEFAULT);
        curl = curl_easy_init();
        if(curl)
        {
                curl_easy_setopt(curl, CURLOPT_URL,
"https://sourceforge.net");
                curl_easy_setopt(curl, CURLOPT_PROXY, HTTP_PROXY);
                curl_easy_setopt(curl, CURLOPT_CAINFO,
"/usr/local/share/curl/cacert.pem");
                
                curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
                curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,
TRUE);
                curl_easy_setopt(curl, CURLOPT_VERBOSE,5);
                curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
                
                
                res = curl_easy_perform(curl);
                if(res != 0)
                {
                        printf("Error: (%d) %s\n",res, error);
                }
                curl_easy_cleanup(curl);
        }
        curl_global_cleanup();

}

The program gave me errors:

* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/cacert.pem
  CApath: none
* SSL certificate problem, verify that the CA cert is
OK. Details:
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
* Closing connection #0
Error: (60) SSL certificate problem, verify that the
CA cert is OK. Details:
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed

If I where to use the same code to access some other
HTTPS site, it works well.

Is this an isolated case?

Thanks in advance!

Regards

William

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on 2005-07-22