cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: BADCERT_NOT_TRUSTED error with mbedTLS

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Tue, 29 Dec 2015 19:06:18 +0100

Hello Ray,

> Does anyone have mbedTLS working in curl 7.46.0?

when I build mbedTLS on Linux and try what you did, I notice the
following:

- --cacert Only accepts a single certificate not a file
containing multiple certs.

- I patched MBEDTLS to tell me why it flagged the cert as bad
and it told me:

(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://test.com
Child is the top of the chain
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

I don't really get what they do here. I see that it fails for many domains, it
should not fail. But maybe Manuel can shed some light on it. I file a bugreport.

In order to reproduce, this is what I did:

git clone https://github.com/ARMmbed/mbedtls.git
cd mbedtls
CFLAGS="-Os" make -j lib
make DESTDIR=`pwd`/../local/linux install

git clone https://github.com/bagder/curl.git
cd curl
./buildconf
./configure CFLAGS='-Os' \
        --without-ssl --with-mbedtls=`pwd`/../local/linux \
        --disable-ares \
        --disable-cookies \
        --disable-manual \
        --disable-versioned-symbols \
        --enable-hidden-symbols \
        --prefix=`pwd`/../local/linux \
        --disable-shared \
        --disable-manual \
        --disable-libcurl-option \
        --enable-sspi \
        --disable-ftp \
        --disable-smb \
        --disable-dict \
        --disable-file \
        --disable-gopher \
        --disable-imap \
        --disable-imaps \
        --disable-pop3 \
        --disable-pop3s \
        --disable-ldap \
        --disable-ldaps \
        --disable-rtsp \
        --disable-telnet \
        --disable-tftp \
        --disable-smtp \
        --disable-smtps \
        --with-gssapi \
        --enable-ipv6 \
        --without-libidn \
        --without-librtmp \
        --without-zlib
make -j
make install

../local/linux/bin/curl -Ss https://test.com

For my domain it works, but I found several other domains, which show
the same problem. Find attached a patch for mbedtls to show better where
it is flagged.

Cheers,
Thomas

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/plain attachment: mbedtls_verbose_not_trusted.patch

Received on 2015-12-29

This message: [ Message body ]
Next message: Ray Satiro via curl-library: "Re: BADCERT_NOT_TRUSTED error with mbedTLS"
Previous message: Thomas Glanzmann: "[PATCH] hardcode cacert of startssl for mbedtls"
In reply to: Ray Satiro via curl-library: "BADCERT_NOT_TRUSTED error with mbedTLS"
Next in thread: Ray Satiro via curl-library: "Re: BADCERT_NOT_TRUSTED error with mbedTLS"
Reply: Ray Satiro via curl-library: "Re: BADCERT_NOT_TRUSTED error with mbedTLS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]