cURL / Mailing Lists / curl-library / Single Mail


Re: BADCERT_NOT_TRUSTED error with mbedTLS

From: Ray Satiro via curl-library <>
Date: Tue, 29 Dec 2015 17:26:37 -0500

On 12/29/2015 1:06 PM, Thomas Glanzmann wrote:
> Hello Ray,
>> Does anyone have mbedTLS working in curl 7.46.0?
> when I build mbedTLS on Linux and try what you did, I notice the
> following:
> - --cacert Only accepts a single certificate not a file
> containing multiple certs.

I don't know why you are seeing --cacert only accepting a single
certificate. I have searched the curl repo and I can't find that. And I
don't believe that's correct for mbedTLS. When we supply a certificate
bundle via mbedtls_x509_crt_parse_file it should load all the certs in
the bundle into the list.

> - I patched MBEDTLS to tell me why it flagged the cert as bad
> and it told me:
> (x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss
> Child is the top of the chain
> curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
> I don't really get what they do here. I see that it fails for many domains, it
> should not fail. But maybe Manuel can shed some light on it. I file a bugreport.

Thanks for doing this. I took a closer look in Wireshark and I can't
make sense of that either. That would seem to imply the server's
certificate ordering is wrong but it isn't. I will follow up in the
mbedTLS issue you filed [1].


List admin:
Received on 2015-12-29