3

I'm attempting to use https using cURL 7.21.1 with OpenSSL 1.0.0d, using OpenSSL's builtin capi engine for certificate authority checking, but it returns CURLE_SSL_CACERT (60) on curl_easy_perform().

#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/ssl.h>
#define CURL_NO_OLDIES
#define CURL_STATICLIB
#include <curl.h>

// Don't forget libeay32.lib, ssleay32.lib, curl.lib
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wldap32.lib")
#pragma comment(lib, "crypt32.lib")

int main(int argc, char* argv[])
{
    OPENSSL_no_config();
    ENGINE_load_capi();
    // Same effect, despite ok = 1 both times:
    // ENGINE* capi = ENGINE_by_id("capi");
    // int ok = ENGINE_init(capi);
    // ok = ENGINE_register_complete(capi);

    CURLcode e = curl_global_init(CURL_GLOBAL_DEFAULT);
    CURL* curl = curl_easy_init();

    e = curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");
    e = curl_easy_perform(curl); // returns CURLE_SSL_CACERT
    return 0;
}

If I test "openssl s_client -connect www.google.com:443" with the following config:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
capi = capi_config

[capi_config]
engine_id = capi
init=1

based on http://www.mail-archive.com/openssl-users@openssl.org/msg62249.html, I receive:

verify error:num=20:unable to get local issuer certificate

The thing that is confusing me, is that when I first wrote the actual program this is failing in, it had the same failure until I added ENGINE_load_capi(). I would like to avoid using a CA bundle, since the actual program may be running inside random corporate networks, and they might be using private CAs.

Simon Buchan
  • 12,707
  • 2
  • 48
  • 55
  • Are doing this on a windows platform? – this.josh May 24 '11 at 21:49
  • @this.josh: Yeah, I know I can't use CryptAPI on other platforms, but *nix based ones could use the platform ca-bundle.crt, right? I'll probably just end up bundling it anyway for reliability if nothing else. – Simon Buchan May 31 '11 at 04:42

2 Answers2

1

Sounds like OpenSSL is having an issue finding the default certificate store? The following SO question resolved a similar error by specifying the CA file explicitly, but it sounds like you'd like to avoid that configuration.

OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified

Community
  • 1
  • 1
gdbelvin
  • 11
  • 1
  • I believe we did end up doing this, but yeah it still sucks. I will take a look at it to see what we did but we are not likely to touch it any time soon – Simon Buchan Jan 29 '14 at 20:14
0

Maybe you can try to add the following line in your file on which you have access the domain. curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);

L.Q
  • 11
  • 1