On Tue, Feb 14, 2012, Timothy Kay wrote: > We have been baffled for a long time that curl cannot access websites that > work just fine in the browser (unless we use --insecure, of course). The > curl documentation points you to http://curl.haxx.se/docs/sslcerts.html, > which explains that your server has out of date certificates. It's not > true! The problem is that the troublesome websites send the certificate > chain that is out of order, and openssl fails to validate these chains, > even though /etc/ssl/certs contains appropriate root certificates. > > $ curl -v https://catalog.cincinnatilibrary.org [analysis snipped]
I've checked through your example. There is another piece to the puzzle here though. The issuer and subject names are not the only parts of the certificate used for chaining additional the subject key identifier (SKID) and authority key identifier (AKID) extensions are used too. If we take a look at the CA certificate immediately below the root then we see this information (see -text option to x509): X509v3 Authority Key Identifier: DirName:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority serial:70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF This is indicating the issuer name and serial number of the CA certificate that signed it. If we have a look at the certificate in the /etc/ssl/certs with the appropriate hash (415660c1.0) we see: Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be Which doesn't match the value above. Now it has been commented (with some justification) that OpenSSL is unduly picky about matching SKID/AKID but MSIE is known to be equally strict so what is going on here? I looked through the root CA store of MSIE and found *two* certificates with that same issuer name. One is identical to the one in /etc/ssl/certs but there is a second which matches that serial number. Here it is: -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- If you use this certificate with curl and the --cacert option or you add it to the bundle in /etc/ssl/certs (and rehash) it should now work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org