curl-library
Problem Related to Curl Perr Verification
Date: Tue, 7 Oct 2008 19:24:08 +0530
Dear All,
Thank you Daneil.
>"that issue" ?
Means I was trying to set nonblocking. Now problem solve application data
loosing we missed in definition of ssize_t nread in transfer.c file, we
defined ssize_t as unsigned int but ssl was returning -1.
One thing I have doubt, I have own_cacert.pem file and how we can add in
ca-bundle.crt. And another thing is we downloaded cacert.pem from
http://curl.haxx.se/ how we will add our certificate there.I think just
place our ownca_cert.pem content.But I saw cacert.pem mention CA Authority
name. but how will know from our keys.
>I think you need to spell out more clearly exactly what you're doing, what
>platform you're using, what libcurl version and what SSL library and
version
>you're using. The best would be if you could show us an example program
>repeating the problem against a public server so that we can help to
identify
>the problem properly
Actually Our Plateform is netVDK and VDK proprietary of Analog
Devices.Libcurl version 7.17.1 and openssl 0.9.8g
Actually problem was defining ssize_t nread. We declared ssize_t as
unsigned int.
>Well, do you have your server's certificate's CA (chain) in your ca cert
>bundle?
Actually I have CA certificate I want to verify the peer for that I set the
option below:
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_CAINFO, "cafile.pem");
I placed cafile.pem in debug and run I got error unknown CAuthority fetal
error(2).
Some time changed name of cafile.pem to cacert.pem I got same error.
Is it neccesary to added our ca certificate to ca-bundle.crt file. Please
tell me how to convert our ca certificate(in .pem ) to .crt format. So I
can add our ca certificate to ca-bundle.crt file.
Please reply me.
Thank you.
Regards,
--Ajeet Kumar Singh
Date: Tue, 7 Oct 2008 10:52:22 +0200 (CEST)
From: Daniel Stenberg <daniel_at_haxx.se>
Subject: Re: Problem Related to nonblocking socket and Peer
certificate verification
To: libcurl development <curl-library_at_cool.haxx.se>
Message-ID: <alpine.LRH.1.10.0810071046150.4390_at_yvahk3.pbagnpgbe.fr>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Tue, 7 Oct 2008, Ajeet kumar.S wrote:
> Thank you Daniel. I am trying to solve that issue.
"that issue" ?
> But when I enable nonblocking mode I saw after tcp connection our client
> sending client hello and always closing socket(reseting) it is not
receiving
> server hello messagebut server is sending server hello and other ssl
> processes.
libcurl is always working with non-blocking sockets internally. What do you
mean with "enable nonblocking mode" ? libcurl has no way of disabling that.
I think you need to spell out more clearly exactly what you're doing, what
platform you're using, what libcurl version and what SSL library and version
you're using. The best would be if you could show us an example program
repeating the problem against a public server so that we can help to
identify
the problem properly.
> Actually I have one more doubt to using ssl peer certificate verification.
I
> I put all keys and certificates in debug folder and run I got unknow CA
> error. Is it due to we did not put our CA certificate in ca-bundle.pem or
> any different reason.
Well, do you have your server's certificate's CA (chain) in your ca cert
bundle?
> Let me know I did correct or wrong. If I want to know if I want to use
> CURLOPT_CAPATH option, I need to give path of ca certificate location
w.r.t.
> debug folder or we need to give w.r.t. ca-bundle.crt file or other way to
> assign the path.
If you use CAPATH you need to point to the directory where you have your CA
certs stored as prepared with the openssl c_rehash utility. As the man page
says,.
> One more doubt in certificate bundle having bunch of certificates so how
> curl will recogonise this certificate will use to verify coming server
> certificate.
When the SSL lib verifies a cert using the CA cert bundle, you need to have
enough certs in that bundle to make sure the cert chain can get verified.
-- / daniel.haxx.se ------------------------------