On 12/29/2015 1:06 PM, Thomas Glanzmann wrote:
> Hello Ray,
>
>> Does anyone have mbedTLS working in curl 7.46.0?
> when I build mbedTLS on Linux and try what you did, I notice the
> following:
>
> - --cacert Only accepts a single certificate not a file
> containing multiple certs.

I don't know why you are seeing --cacert only accepting a single
certificate. I have searched the curl repo and I can't find that. And I
don't believe that's correct for mbedTLS. When we supply a certificate
bundle via mbedtls_x509_crt_parse_file it should load all the certs in
the bundle into the list.

>
> - I patched MBEDTLS to tell me why it flagged the cert as bad
> and it told me:
>
> (x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://test.com
> Child is the top of the chain
> curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
>
> I don't really get what they do here. I see that it fails for many domains, it
> should not fail. But maybe Manuel can shed some light on it. I file a bugreport.
>

Thanks for doing this. I took a closer look in Wireshark and I can't
make sense of that either. That would seem to imply the server's
certificate ordering is wrong but it isn't. I will follow up in the
mbedTLS issue you filed [1].

[1]: https://github.com/ARMmbed/mbedtls/issues/380

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-29