cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: help using Curl through Vagrant

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 4 Jan 2016 02:59:01 -0500

On 1/3/2016 7:23 PM, Barry wrote:
> I tried this using the old command prompt, and I got the following result:
>
> C:\>"c:\HashiCorp\Vagrant\embedded\bin\curl.exe" -v --cacert
> "c:\HashiCorp\Vagra
> nt\embedded\cacert.pem"
> "https://atlas.hashicorp.com/data-science-toolbox/dst"
> * Trying 52.4.91.74...
> * Connected to atlas.hashicorp.com (52.4.91.74) port 443 (#0)
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: c:\HashiCorp\Vagrant\embedded\cacert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.0 (IN), TLS handshake, Server hello (2):
> * TLSv1.0 (IN), TLS handshake, Certificate (11):
> * TLSv1.0 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Is this the real Curl? And what do I do now?

Yes that's the real curl. The server hello I get is TLSv1.2 but the one
you get is TLSv1.0, which is a sign something is different. I installed
ESET NOD32 v9 and I was able to reproduce what you describe. ESET has
SSL interception by default. If you have the mode set to 'automatic' it
will not prompt you for curl.

Depending on the level of security you want you can take one of these paths

If you want ESET to scan curl's SSL transfers you will have to export
the ESET root certificate (ESET > Advanced > Web > SSL > View
certificate > Details > Copy to file > Export as BASE64 cer type) and
then append the contents of that certificate to
C:\HashiCorp\Vagrant\embedded\cacert.pem. If this is too complicated you
can instead ignore curl as described below.

If you don't want ESET to scan curl's SSL transfers you can manually add
C:\HashiCorp\Vagrant\embedded\bin\curl.exe to the list of applications
to ignore (ESET > Advanced > Web > SSL > List of SSL/TLS applications >
add the curl app and choose 'ignore'). If you can't find a way to do
that then you can change the SSL protocol filtering mode from
'automatic' to 'interactive' (ESET > Advanced > Web > SSL > Interactive)
and then attempt to run curl. ESET should pop up a dialog and you can
choose to ignore curl [1]. You can then turn the filtering mode back to
automatic.

Finally, with ESET you must click OK to close out the main screen for
settings to apply. And I'm using a newer version of ESET so you may need
to slightly different directions. Consult ESET if you need more help.
Also, if you allow curl via interactive mode you may see an error in
curl right after saying 'Unknown SSL protocol error'. After that it
should work.

[1]: http://i.imgur.com/UjJfCkD.jpg

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-04