please validate both platforms with "openssl s_client" first. when it comes to embedded, the first error cause that comes to mind is wrong or unset system time. date and time are required to validate certificate chain.
On 3 January 2014 18:43, bill dr <[email protected]> wrote: > Hi all, > I am using libcurl to download files from a https server using self > signed cert file. > The small code that I wrote is working on my ubuntu PC but not working > in the target plateform. > I tested also with command line curl and I had the same certification issue. > The two plateforms are quite diffrent but I don't know the root cause > of this problem. > > following the used command in both platforms and the output that I > have got + the result of curl -V command in both platforms : > > > > curl -v --digest --noproxy 10.1.1.93 --user test:test --cacert > server.crt https://10.1.1.93/test.txt > > > ---------------------------------------------------------------------------------------------- > result in PC: > > > * About to connect() to 10.1.1.93 port 443 (#0) > * Trying 10.1.1.93... connected > * Connected to 10.1.1.93 (10.1.1.93) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: server.crt > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Server key exchange (12): > * SSLv3, TLS handshake, Server finished (14): > * SSLv3, TLS handshake, Client key exchange (16): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSL connection using DHE-RSA-AES256-SHA > * Server certificate: > * subject: ............... > * start date: 2013-12-19 11:30:22 GMT > * expire date: 2023-12-17 11:30:22 GMT > * common name: 10.1.1.93 (matched) > * issuer:...................... > * SSL certificate verify ok. > * Server auth using Digest with user 'test' >> GET /suota_manifest.json HTTP/1.1 >> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k >> zlib/1.2.3.3 libidn/1.15 >> Host: 10.1.1.93 >> Accept: */* > > -------------------------------------------------------------------------------------------- > > curl -V > curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k > zlib/1.2.3.3 libidn/1.15 > Protocols: tftp ftp telnet dict ldap ldaps http file https ftps > Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz > > ---------------------------------------------------------------------------------------------- > > > result in embedded plateform: > > > > * About to connect() to 10.1.1.93 port 443 (#0) > * Trying 10.1.1.93... > * connected > * Connected to 10.1.1.93 (10.1.1.93) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: server.crt > CApath: none > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS alert, Server hello (2): > * SSL certificate problem, verify that the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > * Closing connection #0 > curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > ---------------------------------------------------------------------------------------------- > > curl -V > curl 7.24.0 (arm-angstrom-linux-gnueabi) libcurl/7.24.0 OpenSSL/1.0.0j > zlib/1.2.6 libidn/1.24 > Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s > rtsp smtp smtps telnet tftp > Features: IDN NTLM NTLM_WB SSL libz > > ---------------------------------------------------------------------------------------------- > > Could you please help me to find what is going wrong ? > Thank you! > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
