cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: VERIFYPEER, -k, --insecure, etc.

From: Ryan Graciano <rmgraci_at_gmail.com>
Date: Wed, 17 Sep 2008 13:11:44 -0500

Thanks for your help Dan. This has been a difficult issue to run down.

I'm able to compile OpenSSL, but I can't replace the version I already
have. It should be fine for them to coexist just for testing, though.
 Is there any easy way for me to tell cURL to use the new version?
Our cURL seems to be compiled to look for libssl.so. Do I need to
compile a new cURL that uses the static lib instead, or is there some
environment variable or something like that I can use to redirect it
to the correct libs?

Thanks,
-Ryan

On Wed, Sep 17, 2008 at 11:15 AM, Dan Fandrich <dan_at_coneharvesters.com> wrote:
> On Wed, Sep 17, 2008 at 12:35:07AM -0500, Ryan Graciano wrote:
>> I get that "tlsv1 alert unknown ca" means it can't validate the CA,
>> but I'm passing -k (aka --insecure) to curl. I've tried the exact
>> same thing in PHP, setting VERIFYPEER to false and VERIFYHOST to
>> false, and I've received the exact same error from the PHP binding.
>> Shouldn't they both be skipping the code that validates the CA if I'm
>> specifically requesting to not validate it? What situation could
>> cause this error with those parameters?
>
> It sure sounds like you're doing everything right. Looking at the code, it
> also seems like this error probably isn't occurring in the normal host
> verification path. It looks like this is happening internal to OpenSSL
> somewhere. See if this patch changes the error code that's returned:
>
> diff -u -r1.206 ssluse.c
> --- ssluse.c 5 Sep 2008 14:29:21 -0000 1.206
> +++ ssluse.c 17 Sep 2008 16:13:47 -0000
> @@ -1592,6 +1592,10 @@
> entry. */
>
> switch(errdetail) {
> + case 0x14094418:
> + /* seems to occur if client certificate can't be validated */
> + rc = CURLE_SSL_CERTPROBLEM;
> + break;
> case 0x1407E086:
> /* 1407E086:
> SSL routines:
>
> If so, then it confirms my guess we'll have to figure out some way to get
> OpenSSL to stop doing whatever verification it's doing internally.
>
>>>> Dan
> --
> http://www.MoveAnnouncer.com The web change of address service
> Let webmasters know that your web site has moved
>
Received on 2008-09-17