[haiku-development] Re: CA certificates, CURL and OpenSSL

• From: Colin Günther <coling@xxxxxx>
• To: haiku-development@xxxxxxxxxxxxx
• Date: Sun, 07 Feb 2010 14:59:26 +0100

Hi,

Stephan Assmus schrieb:
[snip]

configure: Configured to build curl/libcurl:

  curl version:    7.19.7
  Host setup:      i586-pc-haiku
  Install prefix:  /boot/common
  Compiler:        gcc
  SSL support:     enabled (OpenSSL)
  SSH support:     no      (--with-libssh2)
  zlib support:    enabled
  krb4 support:    no      (--with-krb4*)
  GSSAPI support:  no      (--with-gssapi)
  SPNEGO support:  no      (--with-spnego)
  c-ares support:  no      (--enable-ares)
  ipv6 support:    no      (--enable-ipv6)
  IDN support:     no      (--with-libidn)
  Build libcurl:   Shared=yes, Static=yes
  Built-in manual: no      (--enable-manual)
  Verbose errors:  enabled (--disable-verbose)
  SSPI support:    no      (--enable-sspi)
  ca cert bundle:  no
  ca cert path:    no

LDAP support: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)

  LDAPS support:   no      (--enable-ldaps)

I am wondering whether the lines about "ca cert bundle" and "ca cert path" are perhaps the problem.

Best regards,
-Stephan

Blaming the missing ca cert bundle for causing the "Peer certificate cannot be authenticated with known CA certificates" would make sence to me. But after checking the certificate issued by www.googlemail.com it turns out that it is verified by a corporation called Thawte Consulting (Pty) Ltd. I used firefox 3.5 on Ubuntu which shows this little security lock on the statusbar when surfing on a https page, to retrieve this information. By clicking on this lock an information window will pop up giving you a bunch of information about the certificate in use. When I'm recalling my IT security course correctly, every browser has a built in list of trusted root certificates. So I doubt those root certificates are provided by the webkit repository (at least I didn't find anything there) or openssl, as you have to verify that the root certificates are trustworthy before including them in the browser. After reading the FAQ on the openssl website I came across this entry http://www.openssl.org/support/faq.html#USER16 speaking about a) that openssl doesn't ship root certificates and b) how to extract root certificates from the mozilla repository.

Hope this helps a bit.
-Colin

• Follow-Ups:
  • [haiku-development] Re: CA certificates, CURL and OpenSSL
    • From: Stephan Assmus

• References:
  • [haiku-development] CA certificates, CURL and OpenSSL
    • From: Stephan Assmus

Other related posts:

• » [haiku-development] CA certificates, CURL and OpenSSL- Stephan Assmus
• » [haiku-development] Re: CA certificates, CURL and OpenSSL - Colin Günther
• » [haiku-development] Re: CA certificates, CURL and OpenSSL- Stephan Assmus
• » [haiku-development] Re: CA certificates, CURL and OpenSSL- Ryan Leavengood
• » [haiku-development] Re: CA certificates, CURL and OpenSSL- Stephan Assmus

1. Home
2. haiku-development
3. Archive
4. 02-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---