Re: Certificates problem
Ah HA! CURLOPT_CAINFO does indeed work with the static library. Thank you! That's real progress (I swear I had tried that before without luck, but I must not have). However, I still get "Unsupported protocol" if I link with libcurl.lib instead of libcurl_a.lib. Any thoughts on that? -Original Message- From: "Patrick Schlangen" [patr...@schlangen.me] Date: 05/21/2018 09:45 AM To: "libcurl development" <curl-library@cool.haxx.se> Subject: Re: Certificates problem Hi, maybe try CURLOPT_CAINFO instead of CURLOPT_ISSUERCERT? - Patrick --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htm --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: Certificates problem
No, I'm not sure the CA is used to sign. I tried it as a guess. Which call is CAFILE use with? I'm not finding it listed in the API. -Original Message- From: "Waitman Gobble" [gobble...@gmail.com] Date: 05/21/2018 09:17 AM To: "libcurl development" <curl-library@cool.haxx.se> Subject: Re: Certificates problem On Mon, May 21, 2018 at 9:46 AM, dp <coulda...@excite.com> wrote: > I am having trouble getting libcurl to work with a secure website. I am using > cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and > running this on XP/SP3. I built both static and DLL libraries, and that > completed without any errors. I can link either library without warnings or > errors. The calls to curl_easy_setopt() include: > > -- CURLOPT_ISSUERCERT, > -- CURLOPT_DEBUGFUNCTION, > -- CURLOPT_VERBOSE, 1L > -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22; > > If I build with the static library (libcurl_a.lib), curl_easy_perform() > returns 60: Peer certificate cannot be authenticated with given CA > certificates. The verbose output appears to show certificate exchange (I am > not knowledgeable about CAs), and ends with "SSL certificate problem: unable > to get local issuer certificate" > > With the DLL library (libcurl.lib), curl_easy_perform() returns 1: > Unsupported protocol. The verbose output says "Protocol https not supported > or disabled in libcurl" > > In both versions, the output from curl.exe -V is: > > curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN > Release-Date: 2018-03-14 > Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s > rtsp smb smbs smtp smtps telnet tftp > Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL > HTTPS-proxy > > Did I fail to build the OpenSSL libraries properly, so that certificates are > being mishandled? Is there another option I need to set before calling > curl_easy_perform()? Is the difference in responses (libcurl.lib versus > libcurl_a.lib) expected? I am trying to avoid the workaround that involves > ignoring verification of certificates. > > Thanks. > > > > > > --- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html you are certain that the specified CA cert is used to sign? does -CAFile report verify OK # openssl s_client -connect api.sunrise-sunset.org:443 CONNECTED(0003) depth=0 C = US, ST = New York verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = New York verify return:1 --- Certificate chain 0 s:/C=US/ST=New York i:/C=US/ST=New York --- Server certificate -BEGIN CERTIFICATE- MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2 MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY 8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9 SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3 wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6 5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE riqeyAbdrkJW72TC7cQgmRASRlsDCJ0= -END CERTIFICATE- subject=/C=US/ST=New York issuer=/C=US/ST=New York --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1466 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB Session-ID-ctx: Master-Key: B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59 ..p.L...GF.Y
Re: Certificates problem
Hi, maybe try CURLOPT_CAINFO instead of CURLOPT_ISSUERCERT? - Patrick --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: Certificates problem
On Mon, May 21, 2018 at 9:46 AM, dpwrote: > I am having trouble getting libcurl to work with a secure website. I am using > cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and > running this on XP/SP3. I built both static and DLL libraries, and that > completed without any errors. I can link either library without warnings or > errors. The calls to curl_easy_setopt() include: > > -- CURLOPT_ISSUERCERT, > -- CURLOPT_DEBUGFUNCTION, > -- CURLOPT_VERBOSE, 1L > -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22; > > If I build with the static library (libcurl_a.lib), curl_easy_perform() > returns 60: Peer certificate cannot be authenticated with given CA > certificates. The verbose output appears to show certificate exchange (I am > not knowledgeable about CAs), and ends with "SSL certificate problem: unable > to get local issuer certificate" > > With the DLL library (libcurl.lib), curl_easy_perform() returns 1: > Unsupported protocol. The verbose output says "Protocol https not supported > or disabled in libcurl" > > In both versions, the output from curl.exe -V is: > > curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN > Release-Date: 2018-03-14 > Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s > rtsp smb smbs smtp smtps telnet tftp > Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL > HTTPS-proxy > > Did I fail to build the OpenSSL libraries properly, so that certificates are > being mishandled? Is there another option I need to set before calling > curl_easy_perform()? Is the difference in responses (libcurl.lib versus > libcurl_a.lib) expected? I am trying to avoid the workaround that involves > ignoring verification of certificates. > > Thanks. > > > > > > --- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html you are certain that the specified CA cert is used to sign? does -CAFile report verify OK # openssl s_client -connect api.sunrise-sunset.org:443 CONNECTED(0003) depth=0 C = US, ST = New York verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = New York verify return:1 --- Certificate chain 0 s:/C=US/ST=New York i:/C=US/ST=New York --- Server certificate -BEGIN CERTIFICATE- MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2 MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY 8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9 SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3 wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6 5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE riqeyAbdrkJW72TC7cQgmRASRlsDCJ0= -END CERTIFICATE- subject=/C=US/ST=New York issuer=/C=US/ST=New York --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1466 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB Session-ID-ctx: Master-Key: B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59 ..p.L...GF.Y 0010 - dd 9c 57 04 cd 43 30 1c-58 6d 7f dc 6b 12 92 58 ..W..C0.Xm..k..X 0020 - dd 40 8c fc 63 d7 c3 e6-4b bc 11 bc 3d f2 58 c5 .@..c...K...=.X. 0030 - b4 12 a7 73 7d 5e b1 aa-9b 24 7f 26 43 05 87 fd ...s}^...$. 0040 - 33 dd 49 ad 6a 99 5a 17-e7 79 20 5f ac 44 8b b4 3.I.j.Z..y _.D.. 0050 - ec d6 92 77 4e c9 77 80-b2 48 87 5e 41 7b d7 e7 ...wN.w..H.^A{.. 0060 - 22 58 f2 bd 2e a8 d4 68-01 e5 a1 d5 8b 11 e7 e1 "X.h 0070 - cb 2c 89 bf 28 ba e0 12-26 e6 40 fa a8 43 85
Certificates problem
I am having trouble getting libcurl to work with a secure website. I am using cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and running this on XP/SP3. I built both static and DLL libraries, and that completed without any errors. I can link either library without warnings or errors. The calls to curl_easy_setopt() include: -- CURLOPT_ISSUERCERT, -- CURLOPT_DEBUGFUNCTION, -- CURLOPT_VERBOSE, 1L -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22; If I build with the static library (libcurl_a.lib), curl_easy_perform() returns 60: Peer certificate cannot be authenticated with given CA certificates. The verbose output appears to show certificate exchange (I am not knowledgeable about CAs), and ends with "SSL certificate problem: unable to get local issuer certificate" With the DLL library (libcurl.lib), curl_easy_perform() returns 1: Unsupported protocol. The verbose output says "Protocol https not supported or disabled in libcurl" In both versions, the output from curl.exe -V is: curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN Release-Date: 2018-03-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL HTTPS-proxy Did I fail to build the OpenSSL libraries properly, so that certificates are being mishandled? Is there another option I need to set before calling curl_easy_perform()? Is the difference in responses (libcurl.lib versus libcurl_a.lib) expected? I am trying to avoid the workaround that involves ignoring verification of certificates. Thanks. --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html