On 4/8/21 9:31 AM, Dennis Clarke via curl-library wrote:
So I looked into the location where the ssl certs "should" be given my
curl config :
$ ./configure --prefix=/opt/bw --disable-dependency-tracking \
--disable-silent-rules --without-gnu-ld --enable-shared \
--enable-static \
--with-libidn=/usr/local --with-libidn2=/usr/local \
--with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
--enable-tls-srp --with-libssh2
So I expect that the cacert.pem file at
https://curl.se/docs/caextract.html
would solve all my problems however :
europa$ ls -lapb/opt/bw/ssl/certs/
total 350
drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
-rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
europa$
This does not help at all and even OpenSSL seems confused.
What is your curl -V version and the verbose output? Your CA path is
supposed to contain the certificate files named by hash value [1], which
it doesn't.
I just dropped the correct certs into that directory and they are still
not found :
europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem:
5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/*
/opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Those are exactly what is needed.
If you use ca-path rather than ca-bundle with openssl, certificates in
that directory have to be named according to a hash in order to be found
by openssl.
To create a soft link properly named use:
ln -s <certname> `openssl x509 -in <certname> -noout -hash`.0
There is also a command to hash a whole directory:
https://www.openssl.org/docs/manmaster/man1/c_rehash.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
