On 4/8/21 2:23 AM, Daniel Stenberg wrote: > On Thu, 8 Apr 2021, Dennis Clarke via curl-library wrote: > >> So I looked into the location where the ssl certs "should" be given my >> curl config : >> >> $ ./configure ... >> --with-ca-path=/opt/bw/ssl/certs \ > > Note that this is the *ca path* where OpenSSL expects to find individual > certs stored. > > You use --with-ca-bundle to specify a "bundle" as a single file. > > OpenSSL supports both setups.
ah ha. Well that makes sense and now I can rebuild curl with better/other config options to specify the ca cert bundle. For the sake of being verbose this is what I see : europa$ europa$ /opt/bw/bin/curl -vvvvv -4 -L --url 'https://gitlab.com/' -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.65.251.78:443... * Connected to gitlab.com (172.65.251.78) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none * CApath: /opt/bw/ssl/certs } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [25 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [4542 bytes data] * TLSv1.3 (OUT), TLS alert, unknown CA (560): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. europa$ Well there we see CAfile: none. >> So I expect that the cacert.pem file at >> >> https://curl.se/docs/caextract.html >> >> would solve all my problems however : >> >> europa$ ls -lapb /opt/bw/ssl/certs/ >> total 350 >> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./ >> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../ >> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem >> europa$ >> >> This does not help at all and even OpenSSL seems confused. > > Exactly, because you now put the bundle in the directory where OpenSSL > expects a directory setup. > > You should rather try your downloaded bundle like this: > > $ curl --cacert /opt/bw/ssl/certs/cacert.pem -4 -L https://gitlab.com/ > -o /dev/null > > ... it certainly works for me! > Well I really don't want to have to specify a cert path on every command line so it would be best to just build a new curl. Speaking of which there is a patch in the works for 7.75.1 ? -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
