cURL / Mailing Lists / curl-library / Single Mail


Re: BADCERT_NOT_TRUSTED error with mbedTLS

From: Thomas Glanzmann <>
Date: Tue, 29 Dec 2015 19:06:18 +0100

Hello Ray,

> Does anyone have mbedTLS working in curl 7.46.0?

when I build mbedTLS on Linux and try what you did, I notice the

        - --cacert Only accepts a single certificate not a file
          containing multiple certs.

        - I patched MBEDTLS to tell me why it flagged the cert as bad
          and it told me:

(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss
Child is the top of the chain
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

I don't really get what they do here. I see that it fails for many domains, it
should not fail. But maybe Manuel can shed some light on it. I file a bugreport.

In order to reproduce, this is what I did:

git clone
cd mbedtls
CFLAGS="-Os" make -j lib
make DESTDIR=`pwd`/../local/linux install

git clone
cd curl
./configure CFLAGS='-Os' \
        --without-ssl --with-mbedtls=`pwd`/../local/linux \
        --disable-ares \
        --disable-cookies \
        --disable-manual \
        --disable-versioned-symbols \
        --enable-hidden-symbols \
        --prefix=`pwd`/../local/linux \
        --disable-shared \
        --disable-manual \
        --disable-libcurl-option \
        --enable-sspi \
        --disable-ftp \
        --disable-smb \
        --disable-dict \
        --disable-file \
        --disable-gopher \
        --disable-imap \
        --disable-imaps \
        --disable-pop3 \
        --disable-pop3s \
        --disable-ldap \
        --disable-ldaps \
        --disable-rtsp \
        --disable-telnet \
        --disable-tftp \
        --disable-smtp \
        --disable-smtps \
        --with-gssapi \
        --enable-ipv6 \
        --without-libidn \
        --without-librtmp \
make -j
make install

../local/linux/bin/curl -Ss

For my domain it works, but I found several other domains, which show
the same problem. Find attached a patch for mbedtls to show better where
it is flagged.


List admin:

Received on 2015-12-29