Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: CURLINFO_CERTINFO and TLS certificate chain availability
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: dogma via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 25 Dec 2025 19:59:35 +0000
> From: Ray Satiro
> Do you have a way to reproduce the missing certs when there is an
> expired certificate error? I'm not sure I'd consider it a bug since
> certificate information is not guaranteed if the handshake fails, but
> I'd still like to know why it works for me and not for you.
>
> I'm attaching an expired CA certificate expirted_geotrust_ca.crt that I
> used to connect to https://download.cyanogenmod.org which caused the
> transfer to fail due to "SSL certificate OpenSSL verify result:
> certificate has expired". For me it is working to show the certs when
> the transfer fails due to expired certificates.
>
> ? curl_easy_setopt(curl, CURLOPT_CAINFO, "expirted_geotrust_ca.crt");
It turned out to be my fault, of course.
With the Debian package (8.14.1), it’s “SSL certificate problem: certificate has expired” and no certs.
Building 8.17.0 myself, it blossoms out to “SSL certificate OpenSSL verify result: certificate has expired (10)” and gives a chain of certificates.
I’m sorry for thinking that building my own seemed like overkill for something that has just been a modest wish for a few years now. It is always rule number one to have the latest if at all possible.
> URL: <https://lists.haxx.se/pipermail/curl-library/attachments/20251224/5a339fb3/attachment-0001.crt>
BTW, this redirects me to https://curl.se/mail/list.cgi?list=curl-library/attachments/20251224/5a339fb3/attachment-0001.crt and gives a page that says “curl-libraryattachmentsafbattachment-crt? Are you playing with me? There is no such list!”.
I was able to get the attachment by going to the mailing list archive.
Date: Thu, 25 Dec 2025 19:59:35 +0000
> From: Ray Satiro
> Do you have a way to reproduce the missing certs when there is an
> expired certificate error? I'm not sure I'd consider it a bug since
> certificate information is not guaranteed if the handshake fails, but
> I'd still like to know why it works for me and not for you.
>
> I'm attaching an expired CA certificate expirted_geotrust_ca.crt that I
> used to connect to https://download.cyanogenmod.org which caused the
> transfer to fail due to "SSL certificate OpenSSL verify result:
> certificate has expired". For me it is working to show the certs when
> the transfer fails due to expired certificates.
>
> ? curl_easy_setopt(curl, CURLOPT_CAINFO, "expirted_geotrust_ca.crt");
It turned out to be my fault, of course.
With the Debian package (8.14.1), it’s “SSL certificate problem: certificate has expired” and no certs.
Building 8.17.0 myself, it blossoms out to “SSL certificate OpenSSL verify result: certificate has expired (10)” and gives a chain of certificates.
I’m sorry for thinking that building my own seemed like overkill for something that has just been a modest wish for a few years now. It is always rule number one to have the latest if at all possible.
> URL: <https://lists.haxx.se/pipermail/curl-library/attachments/20251224/5a339fb3/attachment-0001.crt>
BTW, this redirects me to https://curl.se/mail/list.cgi?list=curl-library/attachments/20251224/5a339fb3/attachment-0001.crt and gives a page that says “curl-libraryattachmentsafbattachment-crt? Are you playing with me? There is no such list!”.
I was able to get the attachment by going to the mailing list archive.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-12-25