cURL / Mailing Lists / curl-library / Single Mail


Re: curl_easy_perform() fails with "Problem with the SSL CA cert (path? access rights?)" after first time calling this routine

From: cnm marketing <>
Date: Thu, 14 Mar 2013 16:53:26 -0400

Hi Dan,
Thanks for the suggestion.

I make some enhancement:
1. I use CURLOPT_CAINFO to specify the CA Certificate.

2. upgrade libcurl to the latest version
[root_at_l2se0132 bin]# curl -V
curl 7.29.0 (x86_64-unknown-linux-gnu) libcurl/7.29.0 OpenSSL/1.0.0
zlib/1.2.3 c-ares/1.9.1 libidn/1.18 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
3. use CURLOPT_VERBOSE and CURLOPT_STDERR to set the verbose output to a

After all these change, I am getting the following error from the output

[root_at_l2se0132 bin]# more /debug1.txt

* About to connect() to port 8443 (#0)

* Trying

* Connected to ( port 8443 (#0)

* successfully set certificate verify locations:

* CAfile: /usr/temp/cert.pem

  CApath: none

* error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small

* Closing connection 0

Any thought on this error "Diffie-Hellman routines:GENERATE_KEY:key size
too small"


From: Daniel Stenberg

Date: Sun, 10 Mar 2013 14:36:42 +0100 (CET)

On Sun, 10 Mar 2013, cnm marketing wrote:

*> I'll appreciate it very much if anyone in the team can resolve this
issue. *
*> I believe it is a bug in libcurl: *
*> *
*> Here are the information: *
*> *
*> Platform: 64bit Red Hat Enterprise Linux Server release 6.1 *
*> libcurl version: curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/ *
*> zlib/1.2.3 libidn/1.18 libssh2/1.2.2 *

We've done 591 documented bug fixes since 7.19.7. We will appreciate if you
retry your case with a modern libcurl version to see if we've already fixed
your issue or not.

*> 1. we dynamically load libcurl routines by using dlopen() and dlsym(),
see *
*> code below *

Why are you doing that? It is a great recipe for pain and suffering...

*> 2. we call a set of libcurl routines, setopt CURLOPT_SSL_VERIFYPEER and *
*> 3. it fails with "Problem with the SSL CA cert (path? access rights?)" *
*> after the 1st call to httpPostData() routine (see code below). *

What return code is that? CURLE_SSL_CACERT?

*> 4. We don't/cannot use curl_global_init() because our code is
thread-safe, *
*> and it crashes if we use this routine. *

Eeeek. This is an sign of badness. If you don't call curl_global_init(),
libcurl will call it by itself automatically so there's no way to avoid
it called!


List admin:
Received on 2013-03-14