Re: Certificates problem

2018-05-21 Thread dp 
Ah HA! CURLOPT_CAINFO does indeed work with the static library. Thank you! 
That's real progress (I swear I had tried that before without luck, but I must 
not have).

However, I still get "Unsupported protocol" if I link with libcurl.lib instead 
of libcurl_a.lib. Any thoughts on that?


-Original Message-
From: "Patrick Schlangen" [patr...@schlangen.me]
Date: 05/21/2018 09:45 AM
To: "libcurl development" <curl-library@cool.haxx.se>
Subject: Re: Certificates problem

Hi,

maybe try CURLOPT_CAINFO instead of CURLOPT_ISSUERCERT?

- Patrick


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.htm


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: Certificates problem

2018-05-21 Thread dp 
No, I'm not sure the CA is used to sign. I tried it as a guess.

Which call is CAFILE use with? I'm not finding it listed in the API.



-Original Message-
From: "Waitman Gobble" [gobble...@gmail.com]
Date: 05/21/2018 09:17 AM
To: "libcurl development" <curl-library@cool.haxx.se>
Subject: Re: Certificates problem

On Mon, May 21, 2018 at 9:46 AM, dp <coulda...@excite.com> wrote:
> I am having trouble getting libcurl to work with a secure website. I am using 
> cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and 
> running this on XP/SP3. I built both static and DLL libraries, and that 
> completed without any errors. I can link either library without warnings or 
> errors. The calls to curl_easy_setopt()  include:
>
> -- CURLOPT_ISSUERCERT, 
> -- CURLOPT_DEBUGFUNCTION,
> -- CURLOPT_VERBOSE, 1L
> -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22;
>
> If I build with the static library (libcurl_a.lib), curl_easy_perform() 
> returns 60: Peer certificate cannot be authenticated with given CA 
> certificates. The verbose output appears to show certificate exchange (I am 
> not knowledgeable about CAs), and ends with "SSL certificate problem: unable 
> to get local issuer certificate"
>
> With the DLL library (libcurl.lib), curl_easy_perform() returns 1: 
> Unsupported protocol. The verbose output says "Protocol https not supported 
> or disabled in libcurl"
>
> In both versions, the output from curl.exe -V is:
>
> curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
> Release-Date: 2018-03-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s 
> rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL 
> HTTPS-proxy
>
> Did I fail to build the OpenSSL libraries properly, so that certificates are 
> being mishandled? Is there another option I need to set before calling 
> curl_easy_perform()? Is the difference in responses (libcurl.lib versus 
> libcurl_a.lib) expected? I am trying to avoid the workaround that involves 
> ignoring verification of certificates.
>
> Thanks.
>
>
>
>
>
> ---
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:   https://curl.haxx.se/mail/etiquette.html


you are certain that the specified CA cert is used to sign?

does -CAFile report verify OK


# openssl s_client -connect api.sunrise-sunset.org:443

CONNECTED(0003)
depth=0 C = US, ST = New York
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York
verify return:1
---
Certificate chain
 0 s:/C=US/ST=New York
   i:/C=US/ST=New York
---
Server certificate
-BEGIN CERTIFICATE-
MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV
BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2
MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY
8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O
XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K
gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9
SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3
wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA
AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA
FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6
5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W
dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y
xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO
S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE
riqeyAbdrkJW72TC7cQgmRASRlsDCJ0=
-END CERTIFICATE-
subject=/C=US/ST=New York
issuer=/C=US/ST=New York
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1466 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB
Session-ID-ctx:
Master-Key:
B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59   ..p.L...GF.Y

Re: Certificates problem

2018-05-21 Thread Patrick Schlangen 
Hi,

maybe try CURLOPT_CAINFO instead of CURLOPT_ISSUERCERT?

- Patrick


---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: Certificates problem

2018-05-21 Thread Waitman Gobble 
On Mon, May 21, 2018 at 9:46 AM, dp  wrote:
> I am having trouble getting libcurl to work with a secure website. I am using 
> cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and 
> running this on XP/SP3. I built both static and DLL libraries, and that 
> completed without any errors. I can link either library without warnings or 
> errors. The calls to curl_easy_setopt()  include:
>
> -- CURLOPT_ISSUERCERT, 
> -- CURLOPT_DEBUGFUNCTION,
> -- CURLOPT_VERBOSE, 1L
> -- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22;
>
> If I build with the static library (libcurl_a.lib), curl_easy_perform() 
> returns 60: Peer certificate cannot be authenticated with given CA 
> certificates. The verbose output appears to show certificate exchange (I am 
> not knowledgeable about CAs), and ends with "SSL certificate problem: unable 
> to get local issuer certificate"
>
> With the DLL library (libcurl.lib), curl_easy_perform() returns 1: 
> Unsupported protocol. The verbose output says "Protocol https not supported 
> or disabled in libcurl"
>
> In both versions, the output from curl.exe -V is:
>
> curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
> Release-Date: 2018-03-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s 
> rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL 
> HTTPS-proxy
>
> Did I fail to build the OpenSSL libraries properly, so that certificates are 
> being mishandled? Is there another option I need to set before calling 
> curl_easy_perform()? Is the difference in responses (libcurl.lib versus 
> libcurl_a.lib) expected? I am trying to avoid the workaround that involves 
> ignoring verification of certificates.
>
> Thanks.
>
>
>
>
>
> ---
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:   https://curl.haxx.se/mail/etiquette.html


you are certain that the specified CA cert is used to sign?

does -CAFile report verify OK


# openssl s_client -connect api.sunrise-sunset.org:443

CONNECTED(0003)
depth=0 C = US, ST = New York
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York
verify return:1
---
Certificate chain
 0 s:/C=US/ST=New York
   i:/C=US/ST=New York
---
Server certificate
-BEGIN CERTIFICATE-
MIIDEzCCAfugAwIBAgIJALD4Y/3QNFzFMA0GCSqGSIb3DQEBCwUAMCAxCzAJBgNV
BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazAeFw0xNDA5MDYxNTMzNTRaFw0yNDA2
MDUxNTMzNTRaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3ee7Yhr8scBW7Lw2ZdBc61EexY
8DljaI+g/S127QrcjCvRkpmWYmdOX+cdPmGdPbIuWAiLNWHyx6PP22fuJ5N84e8O
XfmxlmNaQpmiLiSNkOPdqvuG4V2ZOfEJykCYLHoPNfrT9Xlo89qJ2syjNT263+0K
gF734TRsbpjaI1dL7OKTi2SGNcBvIWzf4Pi/uHqD/mOXZ9/BbbnzisZTQ2Hu2Dg9
SvmFc4u1KXctIB0SQKwNwL+yZ7sMWJSLY/EP0S09T+HUuyJGTp2r+uiGJYzWoha3
wECVNg79XLCcgYMhQ4nrjYyXa4XTcOT6fmSO6W9g97sfAzTXObuJBo4J3vsCAwEA
AaNQME4wHQYDVR0OBBYEFByT8USXKoZOGAa3ayXQLYqKRMV+MB8GA1UdIwQYMBaA
FByT8USXKoZOGAa3ayXQLYqKRMV+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAH0OVpa2xsX5fLsTkY7yHjbiVSV3s6CHVqZO+Evwbn1/zjPSk7dIoBn6
5rs7SHAIAH+BdWa6K0M0KqlO7YKPI4pTeZIIafg4bDwwgaORO1LetMsIXtzO6J3W
dCV9PGRwp8S01R1rK2HLQsbS3pfxP1j0zRDeoAyH6Nq9qYuj1XxmJdrH9zwMH+8y
xsn3s06qw4WnUFXTFCYpZegbltEN0ngtNlviTAEewgGoz4I6xUr31Te1AvWT8CrO
S6w9Yh1jgaDsuBpFrzqR2KHyNpYlZ8VNDnkt8Wn6i7BIPkSbbsUFdKYWNl3VfKZE
riqeyAbdrkJW72TC7cQgmRASRlsDCJ0=
-END CERTIFICATE-
subject=/C=US/ST=New York
issuer=/C=US/ST=New York
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1466 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID: EB5968AF394E3D9179051A514538E00674FF713D0701455D08C343228EF969FB
Session-ID-ctx:
Master-Key:
B2B2C19994F13342D7E05BCBF2003E976320F47A474883958C2506A2A3C3A1B9AE39F5F5312A78ADFB409AC29820024C
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - ec 96 14 18 dd ca 70 04-4c 14 8a c1 47 46 0f 59   ..p.L...GF.Y
0010 - dd 9c 57 04 cd 43 30 1c-58 6d 7f dc 6b 12 92 58   ..W..C0.Xm..k..X
0020 - dd 40 8c fc 63 d7 c3 e6-4b bc 11 bc 3d f2 58 c5   .@..c...K...=.X.
0030 - b4 12 a7 73 7d 5e b1 aa-9b 24 7f 26 43 05 87 fd   ...s}^...$.
0040 - 33 dd 49 ad 6a 99 5a 17-e7 79 20 5f ac 44 8b b4   3.I.j.Z..y _.D..
0050 - ec d6 92 77 4e c9 77 80-b2 48 87 5e 41 7b d7 e7   ...wN.w..H.^A{..
0060 - 22 58 f2 bd 2e a8 d4 68-01 e5 a1 d5 8b 11 e7 e1   "X.h
0070 - cb 2c 89 bf 28 ba e0 12-26 e6 40 fa a8 43 85

Certificates problem

2018-05-21 Thread dp 
I am having trouble getting libcurl to work with a secure website. I am using 
cUrl version 7.59.0, OpenSSL 1.0.2, compiling with Visual Studio 10, and 
running this on XP/SP3. I built both static and DLL libraries, and that 
completed without any errors. I can link either library without warnings or 
errors. The calls to curl_easy_setopt()  include:

-- CURLOPT_ISSUERCERT, 
-- CURLOPT_DEBUGFUNCTION,
-- CURLOPT_VERBOSE, 1L
-- CURLOPT_URL,"https://api.sunrise-sunset.org/json?lat=37.92=-97.22;

If I build with the static library (libcurl_a.lib), curl_easy_perform() returns 
60: Peer certificate cannot be authenticated with given CA certificates. The 
verbose output appears to show certificate exchange (I am not knowledgeable 
about CAs), and ends with "SSL certificate problem: unable to get local issuer 
certificate"

With the DLL library (libcurl.lib), curl_easy_perform() returns 1: Unsupported 
protocol. The verbose output says "Protocol https not supported or disabled in 
libcurl"

In both versions, the output from curl.exe -V is:

curl 7.59.0 (i386-pc-win32) libcurl/7.59.0 OpenSSL/1.0.2n WinIDN
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp 
smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL 
HTTPS-proxy 

Did I fail to build the OpenSSL libraries properly, so that certificates are 
being mishandled? Is there another option I need to set before calling 
curl_easy_perform()? Is the difference in responses (libcurl.lib versus 
libcurl_a.lib) expected? I am trying to avoid the workaround that involves 
ignoring verification of certificates.

Thanks.





---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html