curl-library
Re: Certificates problem
Date: Mon, 21 May 2018 11:10:18 -0400
No, I'm not sure the CA is used to sign. I tried it as a guess.
Which call is CAFILE use with? I'm not finding it listed in the API.
-----Original Message-----
From: "Waitman Gobble" [gobble.wa_at_gmail.com]
Date: 05/21/2018 09:17 AM
To: "libcurl development" <curl-library_at_cool.haxx.se>
Subject: Re: Certificates problem
On Mon, May 21, 2018 at 9:46 AM, dp <couldabin_at_excite.com> wrote:
> I am having trouble getting libcurl to work with a secure website. I am using cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and running this on XP/SP3. I built both static and DLL libraries, and that completed without any errors. I can link either library without warnings or errors. The calls to curl_easy_setopt() include:
>
> -- CURLOPT_ISSUERCERT, <full path to cacert.pem>
> -- CURLOPT_DEBUGFUNCTION,<function name>
> -- CURLOPT_VERBOSE, 1L
> -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92&lng=-97.22"
>
> If I build with the static library (libcurl_a.lib), curl_easy_perform() returns 60: Peer certificate cannot be authenticated with given CA certificates. The verbose output appears to show certificate exchange (I am not knowledgeable about CAs), and ends with "SSL certificate problem: unable to get local issuer certificate"
>
> With the DLL library (libcurl.lib), curl_easy_perform() returns 1: Unsupported protocol. The verbose output says "Protocol https not supported or disabled in libcurl"
>
> In both versions, the output from curl.exe -V is:
>
> curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
> Release-Date: 2018-03-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL HTTPS-proxy
>
> Did I fail to build the OpenSSL libraries properly, so that certificates are being mishandled? Is there another option I need to set before calling curl_easy_perform()? Is the difference in responses (libcurl.lib versus libcurl_a.lib) expected? I am trying to avoid the workaround that involves ignoring verification of certificates.
>
> Thanks.
>
>
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
you are certain that the specified CA cert is used to sign?
does -CAFile report verify OK
# openssl s_client -connect api.sunrise-sunset.org:443
CONNECTED(00000003)
depth=0 C = US, ST = New York
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York
verify return:1
--- Certificate chain 0 s:/C=US/ST=New York i:/C=US/ST=New York --- Server certificate -----BEGIN CERTIFICATE----- MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2 MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY 8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9 SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3 wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6 5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE riqeyAbdrkJW72TC7cQgmRASRlsDCJ0= -----END CERTIFICATE----- subject=/C=US/ST=New York issuer=/C=US/ST=New York --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1466 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB Session-ID-ctx: Master-Key: B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59 ......p.L...GF.Y 0010 - dd 9c 57 04 cd 43 30 1c-58 6d 7f dc 6b 12 92 58 ..W..C0.Xm..k..X 0020 - dd 40 8c fc 63 d7 c3 e6-4b bc 11 bc 3d f2 58 c5 .@..c...K...=.X. 0030 - b4 12 a7 73 7d 5e b1 aa-9b 24 7f 26 43 05 87 fd ...s}^...$.&C... 0040 - 33 dd 49 ad 6a 99 5a 17-e7 79 20 5f ac 44 8b b4 3.I.j.Z..y _.D.. 0050 - ec d6 92 77 4e c9 77 80-b2 48 87 5e 41 7b d7 e7 ...wN.w..H.^A{.. 0060 - 22 58 f2 bd 2e a8 d4 68-01 e5 a1 d5 8b 11 e7 e1 "X.....h........ 0070 - cb 2c 89 bf 28 ba e0 12-26 e6 40 fa a8 43 85 d2 .,..(...&.@..C.. 0080 - 00 eb 0b ae 40 5d 8b 56-6b 8e 6c 5d 87 1c 80 6f ....@].Vk.l]...o 0090 - 9a 49 8a 86 70 f9 cf 4e-3e 9c 73 46 3a b7 7e 66 .I..p..N>.sF:.~f 00a0 - c7 94 fa c3 9c fe 16 5f-98 d5 31 49 01 31 38 1b ......._..1I.18. Start Time: 1526911116 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed -- Waitman Gobble ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htm ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2018-05-21