This is a file containing CA certificate (contents of cacert.pem). Thanks, Vinay
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Vinay Jindal Sent: Friday, January 29, 2010 10:13 AM To: libcurl development Subject: RE: Problem in creating SSL connection using libcurl This is a file containing CA certificate (contents of cacert.pem). Thanks, Vinay ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Corcoran, Jason Sent: Friday, January 29, 2010 10:07 AM To: libcurl development Cc: libcurl development Subject: Re: Problem in creating SSL connection using libcurl The path should have the cert file name on it. Is trustAnchor a file or directory? Jason On Jan 28, 2010, at 8:30 PM, "Vinay Jindal" <[email protected]<mailto:[email protected]>> wrote: Hi Jason, Thanks for responding but the problem is still same even after using absolute path: * About to connect() to 172.16.105.172 port 9001 * Trying 172.16.105.172... * connected * Connected to 172.16.105.172 (172.16.105.172) port 9001 * successfully set certificate verify locations: * CAfile: /user/gur10724/alu/scripts/curl/trustAnchor CApath: none * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 Vne::res = 60 Vne::errorCode=0 Vne::error=SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I am unable to figure out what exactly error 14090086 means for libcurl and what part in server's certificate it fails to verify. Surprisingly, this whole thing works when both server and ssl client are run on same machine. Also, is there any way to enable openssl traces using libcurl APIs? Thanks, Vinay ________________________________ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Corcoran, Jason Sent: Thursday, January 28, 2010 7:31 PM To: libcurl development Cc: <mailto:[email protected]> [email protected]<mailto:[email protected]> Subject: Re: Problem in creating SSL connection using libcurl I have found that when you are setting the location of the ca cert, you should give it the full path name and not just the relative one. Jason On Jan 28, 2010, at 3:34 AM, "Vinay Jindal" <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: Hi, I have created a test HTTPS client using libcurl for creating a SSL connection with HTTPS server. The source code is given below: CURL *curl; CURLcode res; unsigned long errorCode = 0; char error[CURL_ERROR_SIZE]; curl_global_init(CURL_GLOBAL_ALL); curl = curl_easy_init(); if(curl) { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER , 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST , 1); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error); curl_easy_setopt(curl, CURLOPT_CAINFO , "./ca.cert"); curl_easy_setopt(curl, CURLOPT_URL, "<https://172.16.105.172:9001/>https://172.16.105.172:9001/";); res = curl_easy_perform(curl); if (res != CURLE_OK) { printf("\nVne::res = %d", res); curl_easy_getinfo(curl, CURLINFO_SSL_VERIFYRESULT,&errorCode); printf("\nVne::errorCode=%d\n",errorCode); printf("\nVne::error=%s\n",error); } curl_easy_cleanup(curl); } curl_global_cleanup(); The file 'ca.cert' contains the certificate of CA (sample CA setup by me). The ssl server at 172.16.105.172:9001 is provided with certificate signed by sample CA. But when it tries to create the ssl connection to server, if fails with following error: * About to connect() to 172.16.105.172 port 9001 * Trying 172.16.105.172... * connected * Connected to 172.16.105.172 (172.16.105.172) port 9001 * successfully set certificate verify locations: * CAfile: ./trustAnchor CApath: none * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 Vne::res = 60 Vne::errorCode=0 Vne::error=SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed When I disable the SSL_VERIFYPEER option, then the connection gets established but with the following warning: * About to connect() to 172.16.105.172 port 9001 * Trying 172.16.105.172... * connected * Connected to 172.16.105.172 (172.16.105.172) port 9001 * successfully set certificate verify locations: * CAfile: ./trustAnchor CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: /C=IN/ST=GGN/O=Aricent/OU=PRD/CN=172.16.105.172/emailAddress=<mailto:[email protected]>[email protected]<mailto:[email protected]> * start date: 2010-01-28 04:52:36 GMT * expire date: 2011-01-28 04:52:36 GMT * common name: 172.16.105.172 (matched) * issuer: /C=IN/ST=GGN/L=GGN/O=Aricent/OU=PRD/CN=VNE Root Certificate/emailAddress=<mailto:[email protected]>[email protected]<mailto:[email protected]> * SSL certificate verify result: error number 1 (9), continuing anyway. >From where I can get more information about returned error number 1 and (9)? >And, why it is not working with VERIFYPEER enabled? Is there some problem with >the certificates that I am using? One more observation that I have is: When I run this HTTPs client code on the same machine as SSL server, then the connection gets established successfully. Any help is greatly appreciated. Thanks in Advance. Regards, Vinay ________________________________ "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ------------------------------------------------------------------- List admin: <http://cool.haxx.se/list/listinfo/curl-library> <http://cool.haxx.se/list/listinfo/curl-library> http://cool.haxx.se/list/listinfo/curl-library Etiquette: <http://curl.haxx.se/mail/etiquette.html> <http://curl.haxx.se/mail/etiquette.html> http://curl.haxx.se/mail/etiquette.html ________________________________ "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ------------------------------------------------------------------- List admin: <http://cool.haxx.se/list/listinfo/curl-library> http://cool.haxx.se/list/listinfo/curl-library Etiquette: <http://curl.haxx.se/mail/etiquette.html> http://curl.haxx.se/mail/etiquette.html ________________________________ "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ________________________________ "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
