Date: Wed, 14 Dec 2016 00:38:55 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 215291] ftp/curl unable to verify SSL certificates with LibreSSL. Message-ID: <bug-215291-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215291 Bug ID: 215291 Summary: ftp/curl unable to verify SSL certificates with LibreSSL. Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: sunpoet@FreeBSD.org Reporter: peter.kien@fastmail.co.uk Flags: maintainer-feedback?(sunpoet@FreeBSD.org) Assignee: sunpoet@FreeBSD.org When compiled against LibreSSL (i.e. put "DEFAULT_VERSIONS+=3Dssl=3Dlibress= l" in /etc/make.conf), curl fails like so: -------------------------------------------------------------------------- % curl -v "https://google.com" * Rebuilt URL to: https://google.com/ * Trying 172.217.17.46... * TCP_NODELAY set * Connected to google.com (172.217.17.46) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STREN= GTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Curl_http_done: called premature =3D=3D 1 * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. -------------------------------------------------------------------------- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-215291-13>