curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Does cURL accept a CA that is not self signed?

From: Jeffrey Walton via curl-library <>
Date: Thu, 28 Nov 2019 21:59:59 -0500

On Thu, Nov 28, 2019 at 4:58 PM Daniel Stenberg <> wrote:
> On Thu, 28 Nov 2019, Jeffrey Walton via curl-library wrote:
> > I'm having trouble connecting to a server that uses Let's Encrypt.
> With a huuuge portion of the web now using Let's Encrypt certs, I would've
> expected more people to report problems if that would be the case.
> I presume you use a recent curl with OpenSSL?
> I don't quite understand your remark on needing X509_V_FLAG_PARTIAL_CHAIN. Are
> you not using a full "chain" ?

One thing I noticed that now piques my interest... Ubuntu 18.04 is OK.

On Fedora I needed to install libcurl-devel.

On Ubuntu libcurl-dev was not available. I needed to install
libcurl4-openssl-dev. There were two other similar packages - one for
nss (iirc) and one for gnutls (iirc).

If cURL is using GnuTLS on Ubuntu, then that would explain the
difference. GnuTLS does not use OpenSSL, but it effectively uses
`X509_V_FLAG_PARTIAL_CHAIN` in its internal logic. OpenSSL requires
the explicit flag.

Here's the Wget bug report that eventually got
X509_V_FLAG_PARTIAL_CHAIN added for OpenSSL when the user explicitly
specifies his/her CA list : .
GnuTLS was OK because of its differing internal logic. The change was
made for Wget 1.20.2.

It looks like X509_V_FLAG_PARTIAL_CHAIN was discussed before for cURL,
but I could not tell where it ended: . Looking at the
sources, I don't see X509_V_FLAG_PARTIAL_CHAIN . It looks like cURL
may lack it.

    $ grep -IR X509_V_FLAG_PARTIAL_CHAIN ./
    $ grep -IR X509_V_FLAG_PARTIAL_CHAIN ./*

Received on 2019-11-29