cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: BADCERT_NOT_TRUSTED error with mbedTLS

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Wed, 30 Dec 2015 07:46:06 +0100

Hello Ray,

> > - --cacert Only accepts a single certificate not a file
> > containing multiple certs.

> I don't know why you are seeing --cacert only accepting a single
> certificate. I have searched the curl repo and I can't find that. And I
> don't believe that's correct for mbedTLS. When we supply a certificate
> bundle via mbedtls_x509_crt_parse_file it should load all the certs in the
> bundle into the list.

I said that because I thought that this option was not working for me
yesterday. But I can't reproduce any evidence that is backing me up. But I also
have hardcoded the only ca certificate I have for a website, that works.

> Thanks for doing this. I took a closer look in Wireshark and I can't make
> sense of that either. That would seem to imply the server's certificate
> ordering is wrong but it isn't. I will follow up in the mbedTLS issue you
> filed [1].

If you have the time, maybe you can figure out, why my site works:

(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://gmvl.de/
Child is the top of the chain
Top of chain is signed by trusted CA
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>

# Please note the second line in the debug output that unflags the cert as bad.

And why every other site with nginx, apache, startssl or any other certificate,
fails for me. I can't seem to find another site than my own that works:

(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://terminal.arbeitsagentur.de/
Child is the top of the chain
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://zerfleddert.de/
Child is the top of the chain
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED
(x1) [~/work/vlconnect/local/linux/bin] ./curl -Ss https://www.nginx.com/
Child is the top of the chain
curl: (51) Cert verify failed: BADCERT_NOT_TRUSTED

Maybe I find time this night to add more debug to mbedtls and libcurl to find
out what is going wrong and why. If you want to pick off where I left, there is
a very nice x509 formatting function in mbedtls that it makes easier to see
which certificate is currently processed:

char buf[1024];
mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt);
printf("%s", buf);

And as you can see with my working output from above, I think that it is
okay to flag the cert as bad as long as it is unflagged as bad later on.
The question is why is my certificate the only one that I can find that
works?

Cheers,
        Thomas
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-30