On 09.12.2014 09:48, Arif Ali wrote:
> Hello,
> I am using PEM file and following set of APIs on my windows-app.
>
> curl_easy_setopt( curl_handle, CURLOPT_SSLCERTTYPE,"PEM" );
> curl_easy_setopt( curl_handle, CURLOPT_CAINFO, certFile ); //CA
> Cert Bundle
> curl_easy_setopt( curl_handle, CURLOPT_SSL_VERIFYPEER, 1 );
> curl_easy_setopt( curl_handle, CURLOPT_SSL_VERIFYHOST, 1 );
>
>
> Its not trusting the certificates of https://in.yahoo.com/ and one more
> https site.
> If i open both of these sites in firefox it does open
>
> Certificate issuer for both websites that are not opening are following
>
>
> Yahoo => VeriSign Class 3 Secure Server CA - G3
> Another HTTPS site => Entrust Certification Authority - L1C
>
> I have taken the latest PEM file from
> http://curl.haxx.se/docs/caextract.html
ok, but have you also read the note on that page?
Quote:
RSA-1024 removed

Around early September 2014, Mozilla removed the trust bits from the
certs in their CA bundle that were still using RSA 1024 bit keys. This
may lead to TLS libraries having a hard time to verify some sites if the
library in question doesn't properly support "path discovery" as per RFC
4158. (That includes OpenSSL and GnuTLS.)

in addition we offer an older ca-bundle from before this remove for
doenload too - please visit http://curl.haxx.se/docs/caextract.html again!

Gün.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-12-09