On 11/6/2017 3:14 PM, Thomas Blom wrote: > > On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote: >> Using curl 7.56.0, built against openssl-1.0.2l, I am using >> curl_easy_perform() to post to a server and receive results into >> a file using the CURLOPT_WRITEDATA and an open file handle. >> >> This worked fine under both OSX and Windows using an http url, >> but when I use https, having installed certificates on the >> aws-linux server, I find that while OSX still works fine, windows >> (v10) now fails with error 60, "Peer certificate cannot be >> authenticated with given CA certificates". >> >> The certs are cheap ones - PositiveSSL via Comodo. >> >> Reading https://curl.haxx.se/docs/sslcerts.html >> <https://curl.haxx.se/docs/sslcerts.html>, I think I understand >> that this depends on the CA "store" being used on the OS, so my >> guess was that OSX is trusting PostiveSSL, but Windows is not. >> But, I find that if I navigate to this site with MS Edge, which >> presumably uses the same OS CA-store, it is fine with the https >> site, using those same certs. >> >> I see in the doc referenced that I can defeat the peer validation >> with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but >> I'd prefer a better solution, which may be just buying better >> certs? This is software that is to be distributed and used by >> lots of folks, so it's not an option to just update the CA store >> on my windows machine so that this cert is trusted. > On Mon, Nov 6, 2017 at 1:02 PM, Ray Satiro via > curl-library <curl-library@cool.haxx.se > <mailto:curl-library@cool.haxx.se>> wrote : > > > > Disabling ssl verification for software in production is of very > limited use and usually wrong. In most cases you will want your > https transfers protected and authenticated. Check that your > computer's date and time is correct and that your certificate is > not expired. Since it is working in Edge those things are probably ok. > > MS Edge is using the native certificate store because it's using > the native Schannel SSL (what we also call WinSSL). curl w/ > OpenSSL in Windows does not do that, instead you have to supply > the SSL certificates. There is not enough information in your > report to tell whether you are supplying them. You can download a > standard certificate bundle [1] and rename it from cacert.pem to > curl-ca-bundle.crt and put it in the same directory as your > curl.exe. For libcurl you will need to set CURLOPT_CACERT [2] with > the location. Over time those certificates change and may need to > be updated. You could avoid all this by building curl to use > WinSSL instead, and then it will use the built in certificates > that are updated automatically by Microsoft. > > My last guess as to what's happening if those things don't fit is > your server is not configured properly to send all the required > intermediate certificates. That is an error I've seen a few times > and often missed in testing. The reason is some clients will cache > intermediate certificates received from a server and then use > those certificates when they are missing from other servers. > Firefox (NSS) and Windows (SChannel) do that. So someone will test > in Firefox and think well their website works but actually Firefox > (or NSS I guess) is being helpful and just filling in the blanks. > And it may or may not work in some other Firefox depending on > whether the intermediate has been cached. As far as I know, > OpenSSL will not cache intermediates received from a server and > that is perfectly acceptable since it is your server's > responsibility to include those intermediates. Check that your > server is sending all the required intermediates. > > If you still need help please reply with more information, > preferably your curl_version() and some way we can use to > reproduce. (Keep in mind this is a public mailing list so please > don't post anything sensitive.) > > [1]: https://curl.haxx.se/docs/caextract.html > <https://curl.haxx.se/docs/caextract.html> > [2]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html > <https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html> > > > I am *not* manually supplying the SSL certificates to libcurl > (v7.56.0, using OpenSSL/1.0.2l), so this is likely the issue, but I > was confused because on OSX the same code works fine -- that is, on > OSX, the keychain/system-store is used, and it seems reasonable to > assume that a default/system-store would be used on Windows as well. > > I understand that libcurl built using Schannel/WinSSL will do this - I > wonder why the same default bundle is not used for OpenSSL, or how I > can discover what this path is so that I can manually tell libcurl to > use it even if I prefer to use OpenSSL? > > Since I write software that is cross-platform (OSX+Windows), I > typically prefer to use the same libraries/source wherever possible, > so that behavior can be expected to be as nearly identical as > possible, and there are fewer total libraries to be concerned with. > Thus the decision to build libcurl using OpenSSL on both platforms.
OpenSSL has a CAPI engine that uses Windows native crypto but it doesn't appear that feature was ever added [1] [2]. [1]: http://openssl.6102.n7.nabble.com/Using-Windows-certificate-store-through-OpenSSL-td46788.html [2]: https://rt.openssl.org/Ticket/Display.html?id=2158
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
