On Wed, Sep 17, 2008 at 12:35:07AM -0500, Ryan Graciano wrote:
> I get that "tlsv1 alert unknown ca" means it can't validate the CA,
> but I'm passing -k (aka --insecure) to curl. I've tried the exact
> same thing in PHP, setting VERIFYPEER to false and VERIFYHOST to
> false, and I've received the exact same error from the PHP binding.
> Shouldn't they both be skipping the code that validates the CA if I'm
> specifically requesting to not validate it? What situation could
> cause this error with those parameters?

It sure sounds like you're doing everything right. Looking at the code, it
also seems like this error probably isn't occurring in the normal host
verification path. It looks like this is happening internal to OpenSSL
somewhere. See if this patch changes the error code that's returned:

diff -u -r1.206 ssluse.c
--- ssluse.c 5 Sep 2008 14:29:21 -0000 1.206
+++ ssluse.c 17 Sep 2008 16:13:47 -0000
@@ -1592,6 +1592,10 @@
                                       entry. */
 
       switch(errdetail) {
+ case 0x14094418:
+ /* seems to occur if client certificate can't be validated */
+ rc = CURLE_SSL_CERTPROBLEM;
+ break;
       case 0x1407E086:
         /* 1407E086:
            SSL routines:

If so, then it confirms my guess we'll have to figure out some way to get
OpenSSL to stop doing whatever verification it's doing internally.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved