cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL certificate problem diffrent behavior

From: Dima Tisnek <dimaqq_at_gmail.com>
Date: Tue, 7 Jan 2014 12:30:17 +0100

please validate both platforms with "openssl s_client" first.
when it comes to embedded, the first error cause that comes to mind is
wrong or unset system time. date and time are required to validate
certificate chain.

On 3 January 2014 18:43, bill dr <bilel.dr_at_gmail.com> wrote:
> Hi all,
> I am using libcurl to download files from a https server using self
> signed cert file.
> The small code that I wrote is working on my ubuntu PC but not working
> in the target plateform.
> I tested also with command line curl and I had the same certification issue.
> The two plateforms are quite diffrent but I don't know the root cause
> of this problem.
>
> following the used command in both platforms and the output that I
> have got + the result of curl -V command in both platforms :
>
>
>
> curl -v --digest --noproxy 10.1.1.93 --user test:test --cacert
> server.crt https://10.1.1.93/test.txt
>
>
> ----------------------------------------------------------------------------------------------
> result in PC:
>
>
> * About to connect() to 10.1.1.93 port 443 (#0)
> * Trying 10.1.1.93... connected
> * Connected to 10.1.1.93 (10.1.1.93) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: server.crt
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server key exchange (12):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using DHE-RSA-AES256-SHA
> * Server certificate:
> * subject: ...............
> * start date: 2013-12-19 11:30:22 GMT
> * expire date: 2023-12-17 11:30:22 GMT
> * common name: 10.1.1.93 (matched)
> * issuer:......................
> * SSL certificate verify ok.
> * Server auth using Digest with user 'test'
>> GET /suota_manifest.json HTTP/1.1
>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
>> Host: 10.1.1.93
>> Accept: */*
>
> --------------------------------------------------------------------------------------------
>
> curl -V
> curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
> zlib/1.2.3.3 libidn/1.15
> Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
> Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
>
> ----------------------------------------------------------------------------------------------
>
>
> result in embedded plateform:
>
>
>
> * About to connect() to 10.1.1.93 port 443 (#0)
> * Trying 10.1.1.93...
> * connected
> * Connected to 10.1.1.93 (10.1.1.93) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: server.crt
> CApath: none
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> * Closing connection #0
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> ----------------------------------------------------------------------------------------------
>
> curl -V
> curl 7.24.0 (arm-angstrom-linux-gnueabi) libcurl/7.24.0 OpenSSL/1.0.0j
> zlib/1.2.6 libidn/1.24
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtsp smtp smtps telnet tftp
> Features: IDN NTLM NTLM_WB SSL libz
>
> ----------------------------------------------------------------------------------------------
>
> Could you please help me to find what is going wrong ?
> Thank you!
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-07

This message: [ Message body ]
Next message: Daniel Stenberg: "release planning and dates"
Previous message: Dima Tisnek: "Re: Adressing inaccurate timeout timers for the multi API"
In reply to: bill dr: "SSL certificate problem diffrent behavior"
Next in thread: bill dr: "Re: SSL certificate problem diffrent behavior"
Reply: bill dr: "Re: SSL certificate problem diffrent behavior"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]