Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Unknown SSL protocol error in connection

From: Brian Dessent <brian_at_dessent.net>
Date: Mon, 24 Nov 2008 17:41:43 -0800

Jeff_Curley_at_playstation.sony.com wrote:

> --trace-ascii -k --cacert /app_home/mycert.pem --url
> https://www.fortify.net/sslcheck.html
> [...]
> == Info: SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> [...]
> so exactly what do I need to do to test this? This is definitely something
> I'll have to post at the OpenSSL forums, but I was hoping (with my
> ignorance of SSL) someone might be able to give me some pointers without me
> having to post to the OpenSSL people asking something completely ignorant.

I think you are misunderstanding what is being verified. The thing that
you pass with --cacert should be a bundle of CA certificates to verify
the remote site. Thus, www.fortify.net presents your end with its
certificate and libcurl uses the thing provided by --cacert to verify
that www.fortify.net is who they say they are according to some
well-known certificate authority (CA) who signed their cert. If you
don't have that well-known authority's certificate (in this case
Godaddy) in your CA bundle, then you can't verify that www.fortify.net
is who they say they are.

It seems like you have generated a self-signed certificate and passed
that as --cacert. That doesn't make any sense. A self-signed
certificate can do nothing to verify the certificate that
www.fortify.net is presenting, which is all that curl is trying to do.
(Also, passing -k and --cacert both at the same time makes no sense
either, they are saying opposite things.)

What is it exactly that you are trying to achieve?

Do you want to access public https: sites and verify their certificates
to know with certainty that they are who they say they are? Then you
need to use a bundle containing root certs of all the well-known and
trusted public CAs, such as what comes with your browser (or from
<http://curl.haxx.se/docs/caextract.html>).

Do you want to set up your own https: site, with a fake snake oil
self-signed cert for testing? In that case, you need to generate your
own snake oil CA, then generate and sign your server's cert with that
CA's cert, then install the resulting cert on the server, and then hit
that server's https: url with curl, passing your CA's cert to curl with
--cacert so it can use it to verify the cert that your server presents.
The commands to do all these things are a little complicated but they're
all covered in the openssl documentation.

Brian
Received on 2008-11-25