Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: difficulties with SSL certs
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Patrick Monnerat via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 11:41:07 +0200
On 4/8/21 9:31 AM, Dennis Clarke via curl-library wrote:
>>> So I looked into the location where the ssl certs "should" be given my
>>> curl config :
>>>
>>> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
>>> --disable-silent-rules --without-gnu-ld --enable-shared \
>>> --enable-static \
>>> --with-libidn=/usr/local --with-libidn2=/usr/local \
>>> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
>>> --enable-tls-srp --with-libssh2
>>>
>>> So I expect that the cacert.pem file at
>>>
>>> https://curl.se/docs/caextract.html
>>>
>>> would solve all my problems however :
>>>
>>> europa$ ls -lapb/opt/bw/ssl/certs/
>>> total 350
>>> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
>>> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
>>> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
>>> europa$
>>>
>>> This does not help at all and even OpenSSL seems confused.
>>
>> What is your curl -V version and the verbose output? Your CA path is
>> supposed to contain the certificate files named by hash value [1], which
>> it doesn't.
> I just dropped the correct certs into that directory and they are still
> not found :
>
> europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
> /opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
> 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
> europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
> /opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
> 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
>
>
> Those are exactly what is needed.
If you use ca-path rather than ca-bundle with openssl, certificates in
that directory have to be named according to a hash in order to be found
by openssl.
To create a soft link properly named use:
ln -s <certname> `openssl x509 -in <certname> -noout -hash`.0
There is also a command to hash a whole directory:
https://www.openssl.org/docs/manmaster/man1/c_rehash.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-08
Date: Thu, 8 Apr 2021 11:41:07 +0200
On 4/8/21 9:31 AM, Dennis Clarke via curl-library wrote:
>>> So I looked into the location where the ssl certs "should" be given my
>>> curl config :
>>>
>>> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
>>> --disable-silent-rules --without-gnu-ld --enable-shared \
>>> --enable-static \
>>> --with-libidn=/usr/local --with-libidn2=/usr/local \
>>> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
>>> --enable-tls-srp --with-libssh2
>>>
>>> So I expect that the cacert.pem file at
>>>
>>> https://curl.se/docs/caextract.html
>>>
>>> would solve all my problems however :
>>>
>>> europa$ ls -lapb/opt/bw/ssl/certs/
>>> total 350
>>> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
>>> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
>>> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
>>> europa$
>>>
>>> This does not help at all and even OpenSSL seems confused.
>>
>> What is your curl -V version and the verbose output? Your CA path is
>> supposed to contain the certificate files named by hash value [1], which
>> it doesn't.
> I just dropped the correct certs into that directory and they are still
> not found :
>
> europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
> /opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
> 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
> europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
> /opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
> 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
>
>
> Those are exactly what is needed.
If you use ca-path rather than ca-bundle with openssl, certificates in
that directory have to be named according to a hash in order to be found
by openssl.
To create a soft link properly named use:
ln -s <certname> `openssl x509 -in <certname> -noout -hash`.0
There is also a command to hash a whole directory:
https://www.openssl.org/docs/manmaster/man1/c_rehash.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-08