Re: difficulties with SSL certs

From: Dennis Clarke via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 02:32:04 -0400

On 4/8/21 2:23 AM, Daniel Stenberg wrote:
> On Thu, 8 Apr 2021, Dennis Clarke via curl-library wrote:
>
>> So I looked into the location where the ssl certs "should" be given my
>> curl config :
>>
>> $ ./configure ...
>>  --with-ca-path=/opt/bw/ssl/certs \
>
> Note that this is the *ca path* where OpenSSL expects to find individual
> certs stored.
>
> You use --with-ca-bundle to specify a "bundle" as a single file.
>
> OpenSSL supports both setups.

ah ha. Well that makes sense and now I can rebuild curl with
better/other config options to specify the ca cert bundle.

For the sake of being verbose this is what I see :

europa$
europa$ /opt/bw/bin/curl -vvvvv -4 -L --url 'https://gitlab.com/' -o
/dev/null
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
    0* Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /opt/bw/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4542 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
    0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$


Well there we see CAfile: none.

>> So I expect that the cacert.pem file at
>>
>>    https://curl.se/docs/caextract.html
>>
>> would solve all my problems however :
>>
>> europa$ ls -lapb /opt/bw/ssl/certs/
>> total 350
>> drwxr-xr-x  2 root  wheel       3 Apr  8 02:35 ./
>> drwxr-xr-x  5 root  wheel       9 Apr  7 00:14 ../
>> -rw-r--r--  1 root  wheel  208075 Jan 19 04:12 cacert.pem
>> europa$
>>
>> This does not help at all and even OpenSSL seems confused.
>
> Exactly, because you now put the bundle in the directory where OpenSSL
> expects a directory setup.
>
> You should rather try your downloaded bundle like this:
>
> $ curl --cacert /opt/bw/ssl/certs/cacert.pem -4 -L https://gitlab.com/
> -o /dev/null
>
> ... it certainly works for me!
>

Well I really don't want to have to specify a cert path on every command
line so it would be best to just build a new curl. Speaking of which
there is a patch in the works for 7.75.1 ?

-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2021-04-08