cURL / Mailing Lists / curl-library / Single Mail

curl-library

CA Certificate Questions

From: Kerry Loux <louxkr_at_gmail.com>
Date: Mon, 8 Jun 2015 11:20:26 -0400

Hello all,

I am using libcurl in an application that I cross-compile to run on a
Raspberry Pi. I've built libcurl on openssl. When I attempt to generate
an https POST, I get "Peer certificate cannot be authenticated with given
CA certificate." In this case, I'm trying to get my application to talk to
Google.

After reading http://curl.haxx.se/docs/sslcerts.html, I tried this: $ sudo
apt-get install ca-certificates, which did appear to install correctly.
But still no change in using libcurl from my application.

I also read somewhere that adding the ca-bundle.crt linked to from
http://curl.haxx.se/docs/caextract.html would solve my problem - no change
after trying that, either.

I don't have a good understanding of certificates or how to work with
them. Here is what I think I know:
- I'm ignoring all of the many search results that describe how to
"self-sign" certificates, because this would apply only if I were getting
this message while trying to connect to a server that no one has ever heard
of before; certificates for Google or other well-known sites I expect to be
included in "standard" certificate bundles.
- I don't want to use curl_easy_setopt(curl, CURLOPT_CAPATH, capath)because
I've never had to use it for my natively-compiled applications (I do often
build libcurl from source, but I've never had to link against an encryption
library that I've built myself, which I did do in this case). Is there a
reason I should reconsider and use this now? I expected that installing
the distribution's ca-certificate bundle would have just worked.

So I have a couple of questions:
- What does the configure option --with-ca-bundle do? Does this just
specify a path to search, or do the certificates actually get included in
library binaries? I'm guessing the former, since the certificates need to
be updated periodically?
- Should I have expected installing the Raspian ca-certificate bundle to
solve this issue? Why wouldn't it work?

Detailed output from libcurl while I try to connect:

* Trying 216.58.219.205...
* Connected to accounts.google.com (216.58.219.205) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

Thanks,

Kerry

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-06-08