Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: php curl insecure connection option is skipped

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 10 May 2019 14:49:36 -0400

On 5/10/2019 8:57 AM, surya chandrika via curl-library wrote:
> I Ran the following
>
> -sh-4.2$  HOST=<myhost>; echo | openssl s_client -servername $HOST
> -connect $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST
> unable to load certificate
> 139697300731712:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE
>
> I added a self signed certificate for this host. Could that be a reason?
>
> On Wed, May 8, 2019 at 11:48 AM Ray Satiro via curl-library
> <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>
> On 5/8/2019 12:32 AM, surya chandrika wrote:
>> Disabling  CURLOPT_SSL_VERIFYHOST  worked. Yes as you said this
>> is not recommended.
>> But am not sure why certificate with correct hostname is not
>> recognized from uploaded certificate.
>>  I added certificate in path "/etc/pki/ca-trust/source/anchors/
>> In verbose mode it says it got 5 certificate 
>>> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
>>> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/*
>>> *
>>> *
>>> *But throw error *SSL: certificate subject name (#1300) does not
>>> match target host name 'abc.com <http://abc.com/>
>> Any idea why certificate is not recognized
>
>
> If abc.com <http://abc.com> is a hostname in the certificate then
> you should not see that message. Check if OpenSSL gives different
> results:
>
> (HOST=abc.com <http://abc.com> ; echo | openssl s_client
> -servername $HOST -connect $HOST:443 2>/dev/null | openssl x509
> -noout -checkhost $HOST)
>
> Instead of -checkhost $HOST you can use -text to dump the
> certificate details. You should see the hostname in X509v3 Subject
> Alternative Name.
>

Please do not top-post [1], it makes the conversation harder to follow.
The error "Expecting: TRUSTED CERTIFICATE" means that certificate was
not read which likely means a separate error occurred in the previous
command. A self-signed certificate should not be the reason. Try just
the s_client command without suppressing errors.

[1]: https://curl.haxx.se/mail/etiquette.html#Do_Not_Top_Post

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-05-10