On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote: > Using curl 7.56.0, built against openssl-1.0.2l, I am using > curl_easy_perform() to post to a server and receive results into a > file using the CURLOPT_WRITEDATA and an open file handle. > > This worked fine under both OSX and Windows using an http url, but > when I use https, having installed certificates on the aws-linux > server, I find that while OSX still works fine, windows (v10) now > fails with error 60, "Peer certificate cannot be authenticated with > given CA certificates". > > The certs are cheap ones - PositiveSSL via Comodo. > > Reading https://curl.haxx.se/docs/sslcerts.html, I think I understand > that this depends on the CA "store" being used on the OS, so my guess > was that OSX is trusting PostiveSSL, but Windows is not. But, I find > that if I navigate to this site with MS Edge, which presumably uses > the same OS CA-store, it is fine with the https site, using those same > certs. > > I see in the doc referenced that I can defeat the peer validation with > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but I'd prefer > a better solution, which may be just buying better certs? This is > software that is to be distributed and used by lots of folks, so it's > not an option to just update the CA store on my windows machine so > that this cert is trusted.
Disabling ssl verification for software in production is of very limited use and usually wrong. In most cases you will want your https transfers protected and authenticated. Check that your computer's date and time is correct and that your certificate is not expired. Since it is working in Edge those things are probably ok. MS Edge is using the native certificate store because it's using the native Schannel SSL (what we also call WinSSL). curl w/ OpenSSL in Windows does not do that, instead you have to supply the SSL certificates. There is not enough information in your report to tell whether you are supplying them. You can download a standard certificate bundle [1] and rename it from cacert.pem to curl-ca-bundle.crt and put it in the same directory as your curl.exe. For libcurl you will need to set CURLOPT_CACERT [2] with the location. Over time those certificates change and may need to be updated. You could avoid all this by building curl to use WinSSL instead, and then it will use the built in certificates that are updated automatically by Microsoft. My last guess as to what's happening if those things don't fit is your server is not configured properly to send all the required intermediate certificates. That is an error I've seen a few times and often missed in testing. The reason is some clients will cache intermediate certificates received from a server and then use those certificates when they are missing from other servers. Firefox (NSS) and Windows (SChannel) do that. So someone will test in Firefox and think well their website works but actually Firefox (or NSS I guess) is being helpful and just filling in the blanks. And it may or may not work in some other Firefox depending on whether the intermediate has been cached. As far as I know, OpenSSL will not cache intermediates received from a server and that is perfectly acceptable since it is your server's responsibility to include those intermediates. Check that your server is sending all the required intermediates. If you still need help please reply with more information, preferably your curl_version() and some way we can use to reproduce. (Keep in mind this is a public mailing list so please don't post anything sensitive.) [1]: https://curl.haxx.se/docs/caextract.html [2]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
