[arin-tech-discuss] SSL error

Aaron Hughes aaronh at bind.com
Thu Sep 15 13:35:50 EDT 2011 

Actually looks like this is a recent curl problem. The default path for the ca-bendle is not being used. I had to re-complie with the specific path specified and that solved it.

./configure --enable-ipv6 --with-ssl=/usr/local/openssl-1.0.0e --with-ca-bundle=
/usr/share/curl/curl-ca-bundle.crt

aaronh at trace.bind.com:/data/src/curl-7.22.0> curl -I https://www.arin.net         HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 17:34:56 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 14 Sep 2011 19:41:45 GMT
ETag: "dffb4-40bc-f33d1040"
Accept-Ranges: bytes
Content-Length: 16572
Connection: close
Content-Type: text/html; charset=UTF-8

Thanks all.

Cheers,
Aaron


On Thu, Sep 15, 2011 at 09:35:54AM -0700, Aaron Hughes wrote:
> On Wed, Sep 14, 2011 at 06:59:40PM +0000, Andy Newton wrote:
> > 
> > Aaron, I have tried curl -I https://www.arin.net on my Mac, an up-to-date Ubuntu box, and an old installation of CentOS. They all worked.
> > 
> > Are you getting an HTTP 400 error?
> 
> Here is the verbose output.. Still not entirely sure why this is happening:
> 
> aaronh at trace.bind.com:/tftpboot> curl -v -I https://www.arin.net
> * About to connect() to www.arin.net port 443 (#0)
> *   Trying 2001:500:4:13::80... connected
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> * Closing connection #0
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> 
> 
> 
> > 
> > -andy
> 
> -- 
> 
> Aaron Hughes 
> aaronh at bind.com
> +1-831-824-4161
> Key fingerprint = AD 67 37 60 7D 73 C5 B7 33 18 3F 36 C3 1C C6 B8
> http://www.bind.com/
> -- 
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss

-- 

Aaron Hughes 
aaronh at bind.com
+1-831-824-4161
Key fingerprint = AD 67 37 60 7D 73 C5 B7 33 18 3F 36 C3 1C C6 B8
http://www.bind.com/

More information about the arin-tech-discuss mailing list