Hello Folks,

Setting CURLOPT_SSL_VERIFYPEER option and requesting peer certification
verification, I noticed that libcurl is not chatty enough about certificate
validation problems when OpenSSL is used. Output is like below, cause of
failure is not clear. Checking internet, it looks a lot of people suffered
from it by using curl and disabled peer verification as a solution :-)

SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Closing connection #0

I suggest we add something like below to function 'ossl_connect_step2'

      lerr = SSL_get_verify_result(connssl->handle);

      failf(data, "SSL certificate verify result: %s (%ld)",
            X509_verify_cert_error_string(lerr), lerr);

Then the output becomes useful and we do not need to struggle with openssl
command line tool to find the root cause of certification verification. In
my case, the problem was "certificate's validity date was in the near
future" :-)

SSLv3, TLS alert, Server hello (2):
*SSL certificate verify result: certificate is not yet valid (9)*
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Closing connection #0

Thanks

-- 
it is twice as difficult to debug a program as to write it. Therefore, if
you put all of your creativity and effort into writing the program, you are
not smart enough to debug it.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-02