Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Certificates problem

From: Waitman Gobble <gobble.wa_at_gmail.com>
Date: Mon, 21 May 2018 10:14:06 -0400

On Mon, May 21, 2018 at 9:46 AM, dp <couldabin_at_excite.com> wrote:
> I am having trouble getting libcurl to work with a secure website. I am using cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and running this on XP/SP3. I built both static and DLL libraries, and that completed without any errors. I can link either library without warnings or errors. The calls to curl_easy_setopt() include:
>
> -- CURLOPT_ISSUERCERT, <full path to cacert.pem>
> -- CURLOPT_DEBUGFUNCTION,<function name>
> -- CURLOPT_VERBOSE, 1L
> -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92&lng=-97.22"
>
> If I build with the static library (libcurl_a.lib), curl_easy_perform() returns 60: Peer certificate cannot be authenticated with given CA certificates. The verbose output appears to show certificate exchange (I am not knowledgeable about CAs), and ends with "SSL certificate problem: unable to get local issuer certificate"
>
> With the DLL library (libcurl.lib), curl_easy_perform() returns 1: Unsupported protocol. The verbose output says "Protocol https not supported or disabled in libcurl"
>
> In both versions, the output from curl.exe -V is:
>
> curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
> Release-Date: 2018-03-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL HTTPS-proxy
>
> Did I fail to build the OpenSSL libraries properly, so that certificates are being mishandled? Is there another option I need to set before calling curl_easy_perform()? Is the difference in responses (libcurl.lib versus libcurl_a.lib) expected? I am trying to avoid the workaround that involves ignoring verification of certificates.
>
> Thanks.
>
>
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

you are certain that the specified CA cert is used to sign?

does -CAFile report verify OK

# openssl s_client -connect api.sunrise-sunset.org:443

CONNECTED(00000003)
depth=0 C = US, ST = New York
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York
verify return:1 

---
Certificate chain
 0 s:/C=US/ST=New York
   i:/C=US/ST=New York
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV
BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2
MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY
8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O
XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K
gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9
SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3
wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA
AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA
FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6
5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W
dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y
xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO
S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE
riqeyAbdrkJW72TC7cQgmRASRlsDCJ0=
-----END CERTIFICATE-----
subject=/C=US/ST=New York
issuer=/C=US/ST=New York
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1466 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB
    Session-ID-ctx:
    Master-Key:
B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59   ......p.L...GF.Y
    0010 - dd 9c 57 04 cd 43 30 1c-58 6d 7f dc 6b 12 92 58   ..W..C0.Xm..k..X
    0020 - dd 40 8c fc 63 d7 c3 e6-4b bc 11 bc 3d f2 58 c5   .@..c...K...=.X.
    0030 - b4 12 a7 73 7d 5e b1 aa-9b 24 7f 26 43 05 87 fd   ...s}^...$.&C...
    0040 - 33 dd 49 ad 6a 99 5a 17-e7 79 20 5f ac 44 8b b4   3.I.j.Z..y _.D..
    0050 - ec d6 92 77 4e c9 77 80-b2 48 87 5e 41 7b d7 e7   ...wN.w..H.^A{..
    0060 - 22 58 f2 bd 2e a8 d4 68-01 e5 a1 d5 8b 11 e7 e1   "X.....h........
    0070 - cb 2c 89 bf 28 ba e0 12-26 e6 40 fa a8 43 85 d2   .,..(...&.@..C..
    0080 - 00 eb 0b ae 40 5d 8b 56-6b 8e 6c 5d 87 1c 80 6f   ....@].Vk.l]...o
    0090 - 9a 49 8a 86 70 f9 cf 4e-3e 9c 73 46 3a b7 7e 66   .I..p..N>.sF:.~f
    00a0 - c7 94 fa c3 9c fe 16 5f-98 d5 31 49 01 31 38 1b   ......._..1I.18.
    Start Time: 1526911116
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
-- 
Waitman Gobble
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-05-21