Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Adding Mozzila CA certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Timothe Litt <litt_at_acm.org>
Date: Mon, 27 Nov 2023 11:41:23 -0500
On 27-Nov-23 10:03, Luis Carlos Chalaca Figueira via curl-library wrote:
> Hello,
>
> While developing a crawler I realized that some websites that can be
> displayed by Chrome and Firefox would throw SSL errors on libcurl
> requests
>
> Exs:
>
> SSL connect error
>
> SSL routines::unsafe legacy renegotiation disabled
>
> SSL peer certificate or SSH remote key was not OK
>
>
> Therefore I had the idea of adding the certificates used by firefox to
> prevent that.
>
> I downloaded the cacert.pem file from
> https://curl.se/docs/caextract.html and added it to the ca store with
> the following commands:
>
> $ openssl x509 -in cacert-Mozzila.pem -out cacert-Mozzila.crt
>
> $ sudo cp cacert-Mozzila.crt /usr/local/share/ca-certificates
>
> $ sudo update-ca-certificates
>
>
> However those sites continue to throw dose errors. What have I missed
> to be able to get the same responses as firefox?
>
Your openssl x509 command will only extract one certificate from the
bundle. You don't need it. cacert.pem is a bundle of many.
copy the downloaded cacert.pem to whatever location and/or name your
distribution needs. Or symlink from there to your download location.
Note that this doesn't add the bundle to the system default; it replaces
the system default. To add you need to merge the bundles, which is a
bit more involved. In most cases, simply using the Mozilla bundle suffices.
As Daniel noted, legacy renegotiation has nothing to do with the ca store.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
Received on 2023-11-27
Date: Mon, 27 Nov 2023 11:41:23 -0500
On 27-Nov-23 10:03, Luis Carlos Chalaca Figueira via curl-library wrote:
> Hello,
>
> While developing a crawler I realized that some websites that can be
> displayed by Chrome and Firefox would throw SSL errors on libcurl
> requests
>
> Exs:
>
> SSL connect error
>
> SSL routines::unsafe legacy renegotiation disabled
>
> SSL peer certificate or SSH remote key was not OK
>
>
> Therefore I had the idea of adding the certificates used by firefox to
> prevent that.
>
> I downloaded the cacert.pem file from
> https://curl.se/docs/caextract.html and added it to the ca store with
> the following commands:
>
> $ openssl x509 -in cacert-Mozzila.pem -out cacert-Mozzila.crt
>
> $ sudo cp cacert-Mozzila.crt /usr/local/share/ca-certificates
>
> $ sudo update-ca-certificates
>
>
> However those sites continue to throw dose errors. What have I missed
> to be able to get the same responses as firefox?
>
Your openssl x509 command will only extract one certificate from the
bundle. You don't need it. cacert.pem is a bundle of many.
copy the downloaded cacert.pem to whatever location and/or name your
distribution needs. Or symlink from there to your download location.
Note that this doesn't add the bundle to the system default; it replaces
the system default. To add you need to merge the bundles, which is a
bit more involved. In most cases, simply using the Mozilla bundle suffices.
As Daniel noted, legacy renegotiation has nothing to do with the ca store.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature