cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem Related to nonblocking socket and Peer certificate verification

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 7 Oct 2008 10:52:22 +0200 (CEST)

On Tue, 7 Oct 2008, Ajeet kumar.S wrote:

> Thank you Daniel. I am trying to solve that issue.

"that issue" ?

> But when I enable nonblocking mode I saw after tcp connection our client
> sending client hello and always closing socket(reseting) it is not receiving
> server hello messagebut server is sending server hello and other ssl
> processes.

libcurl is always working with non-blocking sockets internally. What do you
mean with "enable nonblocking mode" ? libcurl has no way of disabling that.

I think you need to spell out more clearly exactly what you're doing, what
platform you're using, what libcurl version and what SSL library and version
you're using. The best would be if you could show us an example program
repeating the problem against a public server so that we can help to identify
the problem properly.

> Actually I have one more doubt to using ssl peer certificate verification. I

> I put all keys and certificates in debug folder and run I got unknow CA
> error. Is it due to we did not put our CA certificate in ca-bundle.pem or
> any different reason.

Well, do you have your server's certificate's CA (chain) in your ca cert
bundle?

> Let me know I did correct or wrong. If I want to know if I want to use
> CURLOPT_CAPATH option, I need to give path of ca certificate location w.r.t.
> debug folder or we need to give w.r.t. ca-bundle.crt file or other way to
> assign the path.

If you use CAPATH you need to point to the directory where you have your CA
certs stored as prepared with the openssl c_rehash utility. As the man page
says,.

> One more doubt in certificate bundle having bunch of certificates so how
> curl will recogonise this certificate will use to verify coming server
> certificate.

When the SSL lib verifies a cert using the CA cert bundle, you need to have
enough certs in that bundle to make sure the cert chain can get verified.

-- 
  / daniel.haxx.se
Received on 2008-10-07