Trouble with SSL cert validation

Tue, 22 Sep 2009 12:13:24 -0700 

Hey all,

I'm having trouble using cURL to successfully validate a certificate chain when 
connecting to an HTTPS server with the following certificate hierarchy:

Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> 
*.ourdomain.com certificate

cURL is linked with OpenSSL, and when I try to connect to it, I get

Sep 22 11:34:48: DEBUG: cURL debug: About to connect() to foo.ourdomain.com 
port 443 (#0)
Sep 22 11:34:48: DEBUG: cURL debug:   Trying 10.114.24.145...
Sep 22 11:34:48: DEBUG: cURL debug: connected
Sep 22 11:34:48: DEBUG: cURL debug: Connected to foo.ourdomain.com 
(10.114.24.145) port 443 (#0)
Sep 22 11:34:48: DEBUG: cURL debug: successfully set certificate verify 
locations:
Sep 22 11:34:48: DEBUG: cURL debug:   CAfile: mozilla-root-certs.crt
  CApath: none
Sep 22 11:34:48: DEBUG: cURL debug: WARNING: failed to configure server name 
indication (SNI) TLS extension
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, Client hello (1):
Sep 22 11:34:48: DEBUG: cURL debug: Data sent, 81 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, Server hello (2):
Sep 22 11:34:48: DEBUG: cURL debug: Data received, 74 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS handshake, CERT (11):
Sep 22 11:34:48: DEBUG: cURL debug: Data received, 2974 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSLv3, TLS alert, Server hello (2):
Sep 22 11:34:48: DEBUG: cURL debug: Data sent, 2 bytes
Sep 22 11:34:48: DEBUG: cURL debug: SSL certificate problem, verify that the CA 
cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed
Sep 22 11:34:48: DEBUG: cURL debug: Expire cleared
Sep 22 11:34:48: DEBUG: cURL debug: Closing connection #0
Sep 22 11:34:48: INFO: cURL error: Peer certificate cannot be authenticated 
with known CA certificates (60)

On the other hand, this works properly:

$ openssl s_client -connect foo.ourdomain.com:443 -showcerts -CAfile 
mozilla-root-certs.crt

And my understanding is that it does a strict verification test as well, and 
that outputs:

    Verify return code: 0 (ok)

The HTTPS server is sending the whole certificate chain, minus the root 
certificate, which to my understanding is correct.

So what is cURL doing differently from openssl's s_client? I've tried forcing 
different SSL versions as well, no soap.

-Josh

Reply via email to