curl / Mailing Lists / curl-library / Single Mail

curl-library

peer certificate cannot be authenticated: osx works, windows doesn't

From: Thomas Blom via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 6 Nov 2017 09:38:50 -0600

Using curl 7.56.0, built against openssl-1.0.2l, I am using
curl_easy_perform() to post to a server and receive results into a file
using the CURLOPT_WRITEDATA and an open file handle.

This worked fine under both OSX and Windows using an http url, but when I
use https, having installed certificates on the aws-linux server, I find
that while OSX still works fine, windows (v10) now fails with error 60,
"Peer certificate cannot be authenticated with given CA certificates".

The certs are cheap ones - PositiveSSL via Comodo.

Reading https://curl.haxx.se/docs/sslcerts.html, I think I understand that
this depends on the CA "store" being used on the OS, so my guess was that
OSX is trusting PostiveSSL, but Windows is not. But, I find that if I
navigate to this site with MS Edge, which presumably uses the same OS
CA-store, it is fine with the https site, using those same certs.

I see in the doc referenced that I can defeat the peer validation with
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER, FALSE), but I'd prefer a better solution, which may
be just buying better certs? This is software that is to be distributed
and used by lots of folks, so it's not an option to just update the CA
store on my windows machine so that this cert is trusted.

Thanks for any help with this.

Thomas Blom in Austin, TX

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-06