----- Original Message -----
From: Dennis Clarke <dclarke_at_blastwave.org>
Date: Monday, March 11, 2013 9:38 pm
Subject: digging into the tutorial as well as example cacertinmem.c
To: curl-library_at_cool.haxx.se

> I think SSL may be a big baffling to me as the term "CA Cert" gets
> used a lot
> but I am not to clear where libcurl looks to find these CA's.
>
> The sample code cacertinmem.c compiles neatly and I tried to replace the
> contents of the "char * mypem" variable with pem contents I extracted
>
> using openssl :
>
> openssl s_client -connect www.targetsite.com:443 -CApath
> /usr/local/ssl/certs -showcerts
>
> I get lovely looking somewhat like :
>
> CONNECTED(00000004)
> depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref.
> (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
> Certification Authority (2048)
> verify return:1
> depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is
> incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust
> Certification Authority - L1C
> verify return:1
> depth=0 C = US, ST = New York, L = New York, O = Some Company Name, CN
> = www.targetsite.com
> verify return:1
>
> So that looks quite nice.
>
> I am thinking, based on the docs for curl_easy_setopt, that I can set
> a filename via CURLOPT_SSLCERT that contains a bundle of PEM data with
> the required PEM goodness
> in it like so :
>
> $ cat
> /usr/local/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem \
> > /usr/local/ssl/certs/Entrust.net_Secure_Server_CA.pem \
> > /usr/local/ssl/certs/Entrust_Root_Certification_Authority.pem > Entrust_bundle
>
> Then somehow, magically, watch libCurl use that as the place to look
> for a CA Cert.
>
> Am I on the right path here ?

Reply to myself, how stylish.

The curl command line tool verifies that the bundle I made works :

$ curl https://www.targetsite.com --cacert Entrust_bundle 2>&1 | head -5
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 1656 100 1656 0 0 14211 0 --:--:-- --:--:-- --:--:-- 14526
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>...etc etc etc ..

If I do NOT specify the --cacert filename then I get this :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

No problem.

So I know that my little bundle works.

However when I try to use this :

    curl_easy_setopt ( curl, CURLOPT_CAPATH, "./Entrust_bundle" );

My code still throws : ( with unix time from REALTIME_CLOCK )

 INFO: 1363053559.803122900 : successfully set certificate verify locations:

 INFO: 1363053559.803441850 : CAfile: none
  CApath: ./Entrust_bundle

 INFO: 1363053559.804452922 : SSLv3, TLS handshake, Client hello (1):

TRACE: 1363053559.804765397 : => Send SSL data, 0000000342 bytes (0x00000156)
 INFO: 1363053559.826169037 : SSLv3, TLS handshake, Server hello (2):

TRACE: 1363053559.826480541 : <= Recv SSL data, 0000000049 bytes (0x00000031)
 INFO: 1363053559.827454790 : SSLv3, TLS handshake, CERT (11):

TRACE: 1363053559.827766213 : <= Recv SSL data, 0000002597 bytes (0x00000a25)
 INFO: 1363053559.831700760 : SSLv3, TLS alert, Server hello (2):

TRACE: 1363053559.832011293 : => Send SSL data, 0000000002 bytes (0x00000002)
 INFO: 1363053559.832902911 : SSL certificate problem: unable to get local issuer certificate

 INFO: 1363053559.833269205 : Closing connection 0

curl_easy_perform() failed: Peer certificate cannot be authenticated with given
CA certificates

So I am back to .. wondering .. and reading this again http://curl.haxx.se/docs/sslcerts.html

Anyone see something blatantly obvious ?

dc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-12