curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: peer certificate cannot be authenticated: osx works, windows doesn't

From: Thomas Blom via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 6 Nov 2017 14:14:55 -0600

On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote:
>
> Using curl 7.56.0, built against openssl-1.0.2l, I am using
> curl_easy_perform() to post to a server and receive results into a file
> using the CURLOPT_WRITEDATA and an open file handle.
>
> This worked fine under both OSX and Windows using an http url, but when I
> use https, having installed certificates on the aws-linux server, I find
> that while OSX still works fine, windows (v10) now fails with error 60,
> "Peer certificate cannot be authenticated with given CA certificates".
>
> The certs are cheap ones - PositiveSSL via Comodo.
>
> Reading https://curl.haxx.se/docs/sslcerts.html, I think I understand
> that this depends on the CA "store" being used on the OS, so my guess was
> that OSX is trusting PostiveSSL, but Windows is not. But, I find that if I
> navigate to this site with MS Edge, which presumably uses the same OS
> CA-store, it is fine with the https site, using those same certs.
>
> I see in the doc referenced that I can defeat the peer validation with curl_easy_setopt(curl,
> CURLOPT_SSL_VERIFYPEER, FALSE), but I'd prefer a better solution, which
> may be just buying better certs? This is software that is to be
> distributed and used by lots of folks, so it's not an option to just update
> the CA store on my windows machine so that this cert is trusted.
>
> On Mon, Nov 6, 2017 at 1:02 PM, Ray Satiro via curl-library <
> curl-library_at_cool.haxx.se> wrote :
>

> Disabling ssl verification for software in production is of very limited
> use and usually wrong. In most cases you will want your https transfers
> protected and authenticated. Check that your computer's date and time is
> correct and that your certificate is not expired. Since it is working in
> Edge those things are probably ok.
>
> MS Edge is using the native certificate store because it's using the
> native Schannel SSL (what we also call WinSSL). curl w/ OpenSSL in Windows
> does not do that, instead you have to supply the SSL certificates. There is
> not enough information in your report to tell whether you are supplying
> them. You can download a standard certificate bundle [1] and rename it from
> cacert.pem to curl-ca-bundle.crt and put it in the same directory as your
> curl.exe. For libcurl you will need to set CURLOPT_CACERT [2] with the
> location. Over time those certificates change and may need to be updated.
> You could avoid all this by building curl to use WinSSL instead, and then
> it will use the built in certificates that are updated automatically by
> Microsoft.
>
> My last guess as to what's happening if those things don't fit is your
> server is not configured properly to send all the required intermediate
> certificates. That is an error I've seen a few times and often missed in
> testing. The reason is some clients will cache intermediate certificates
> received from a server and then use those certificates when they are
> missing from other servers. Firefox (NSS) and Windows (SChannel) do that.
> So someone will test in Firefox and think well their website works but
> actually Firefox (or NSS I guess) is being helpful and just filling in the
> blanks. And it may or may not work in some other Firefox depending on
> whether the intermediate has been cached. As far as I know, OpenSSL will
> not cache intermediates received from a server and that is perfectly
> acceptable since it is your server's responsibility to include those
> intermediates. Check that your server is sending all the required
> intermediates.
>
> If you still need help please reply with more information, preferably your
> curl_version() and some way we can use to reproduce. (Keep in mind this is
> a public mailing list so please don't post anything sensitive.)
>
> [1]: https://curl.haxx.se/docs/caextract.html
> [2]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
>
>
I am *not* manually supplying the SSL certificates to libcurl (v7.56.0,
using OpenSSL/1.0.2l), so this is likely the issue, but I was confused
because on OSX the same code works fine -- that is, on OSX, the
keychain/system-store is used, and it seems reasonable to assume that a
default/system-store would be used on Windows as well.

I understand that libcurl built using Schannel/WinSSL will do this - I
wonder why the same default bundle is not used for OpenSSL, or how I can
discover what this path is so that I can manually tell libcurl to use it
even if I prefer to use OpenSSL?

Since I write software that is cross-platform (OSX+Windows), I typically
prefer to use the same libraries/source wherever possible, so that behavior
can be expected to be as nearly identical as possible, and there are fewer
total libraries to be concerned with. Thus the decision to build libcurl
using OpenSSL on both platforms.

-Thomas

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-06