cURL / Mailing Lists / curl-library / Single Mail

curl-library

certificate verification against system cert (?) when custom CAINFO is set

From: Dima Tisnek <dimaqq_at_gmail.com>
Date: Thu, 11 Apr 2013 11:15:43 +0300

I'm trying to use curl with custom CA's only, but it seems server
certificate gets verified against system CA's too.

steps to reproduce:

air:~ dima$ mkdir empty
air:~ dima$ curl http://www.startssl.com/certs/ca.pem > ca.pem #
unrelated global ca
air:~ dima$ curl --capath ./empty/ --cacert ca.pem -v https://www.google.com
* About to connect() to www.google.com port 443 (#0)
* Trying 74.125.143.103...
* connected
* Connected to www.google.com (74.125.143.103) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: ca.pem
CApath: ./empty/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2013-03-27 13:28:22 GMT
* expire date: 2013-12-31 15:58:50 GMT
* subjectAltName: www.google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority
* SSL certificate verify ok.

------------------------^^^^^^^^^
how come?
google is not signed by startcom...
connection works after that, I get some http response.
I'm running curl shipped with osx, it's a bit old:

air:~ dima$ curl --version
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz

I don't have same problem on linux with newer versions, namely curl
7.29.0, openssl 1.0.1e

I could find only a few mentions of certificates in curl changelog, it
seems they don't apply here, thus the question -- is this a curl bug
that was silently fixed, and openssl bug, or operating-system-specific
issue?

cheers,
dima
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-11

This message: [ Message body ]
Next message: Steve Holme: "RE: Incorrect Digest Username with Diegst Auth"
Previous message: Pierre Chapuis: "Re: Incorrect Digest Username with Diegst Auth"
Next in thread: David Strauss: "Re: certificate verification against system cert (?) when custom CAINFO is set"
Reply: David Strauss: "Re: certificate verification against system cert (?) when custom CAINFO is set"
Reply: Daniel Stenberg: "Re: certificate verification against system cert (?) when custom CAINFO is set"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]