On Thu, Nov 28, 2019 at 4:58 PM Daniel Stenberg <[email protected]> wrote: > > On Thu, 28 Nov 2019, Jeffrey Walton via curl-library wrote: > > > I'm having trouble connecting to a server that uses Let's Encrypt. > > With a huuuge portion of the web now using Let's Encrypt certs, I would've > expected more people to report problems if that would be the case. > > I presume you use a recent curl with OpenSSL? > > I don't quite understand your remark on needing X509_V_FLAG_PARTIAL_CHAIN. Are > you not using a full "chain" ?
One thing I noticed that now piques my interest... Ubuntu 18.04 is OK. On Fedora I needed to install libcurl-devel. On Ubuntu libcurl-dev was not available. I needed to install libcurl4-openssl-dev. There were two other similar packages - one for nss (iirc) and one for gnutls (iirc). If cURL is using GnuTLS on Ubuntu, then that would explain the difference. GnuTLS does not use OpenSSL, but it effectively uses `X509_V_FLAG_PARTIAL_CHAIN` in its internal logic. OpenSSL requires the explicit flag. Here's the Wget bug report that eventually got X509_V_FLAG_PARTIAL_CHAIN added for OpenSSL when the user explicitly specifies his/her CA list : https://lists.gnu.org/archive/html/bug-wget/2017-10/msg00004.html . GnuTLS was OK because of its differing internal logic. The change was made for Wget 1.20.2. It looks like X509_V_FLAG_PARTIAL_CHAIN was discussed before for cURL, but I could not tell where it ended: https://curl.haxx.se/mail/lib-2015-11/0079.html . Looking at the sources, I don't see X509_V_FLAG_PARTIAL_CHAIN . It looks like cURL may lack it. $ grep -IR X509_V_FLAG_PARTIAL_CHAIN ./ $ grep -IR X509_V_FLAG_PARTIAL_CHAIN ./* $ Jeff ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
