[haiku-development] Re: CA certificates, CURL and OpenSSL

Hi,

On 2010-02-07 at 14:59:26 [+0100], Colin Günther <coling@xxxxxx> wrote:
> Stephan Assmus schrieb:
> [snip]
> > configure: Configured to build curl/libcurl:
> >
> >   curl version:    7.19.7
> >   Host setup:      i586-pc-haiku
> >   Install prefix:  /boot/common
> >   Compiler:        gcc
> >   SSL support:     enabled (OpenSSL)
> >   SSH support:     no      (--with-libssh2)
> >   zlib support:    enabled
> >   krb4 support:    no      (--with-krb4*)
> >   GSSAPI support:  no      (--with-gssapi)
> >   SPNEGO support:  no      (--with-spnego)
> >   c-ares support:  no      (--enable-ares)
> >   ipv6 support:    no      (--enable-ipv6)
> >   IDN support:     no      (--with-libidn)
> >   Build libcurl:   Shared=yes, Static=yes
> >   Built-in manual: no      (--enable-manual)
> >   Verbose errors:  enabled (--disable-verbose)
> >   SSPI support:    no      (--enable-sspi)
> >   ca cert bundle:  no
> >   ca cert path:    no
> >   LDAP support:    no      (--enable-ldap / --with-ldap-lib / 
> > --with-lber-lib)
> >   LDAPS support:   no      (--enable-ldaps)
> >
> >
> > I am wondering whether the lines about "ca cert bundle" and "ca cert 
> > path" are perhaps the problem.
> 
> Blaming the missing ca cert bundle for causing the "Peer certificate 
> cannot be authenticated with known CA certificates" would make sence to 
> me. But after checking the certificate issued by www.googlemail.com it 
> turns out that it is verified by a corporation called Thawte Consulting 
> (Pty) Ltd. I used firefox 3.5 on Ubuntu which shows this little security 
> lock on the statusbar when surfing on a https page, to retrieve this 
> information. By clicking on this lock an information window will pop up 
> giving you a bunch of information about the certificate in use. When I'm 
> recalling my IT security course correctly, every browser has a built in 
> list of trusted root certificates. So I doubt those root certificates are 
> provided by the webkit repository (at least I didn't find anything there) 
> or openssl, as you have to verify that the root certificates are 
> trustworthy before including them in the browser. After reading the FAQ 
> on the openssl website I came across this entry 
> http://www.openssl.org/support/faq.html#USER16 speaking about a) that 
> openssl doesn't ship root certificates and b) how to extract root 
> certificates from the mozilla repository.

Yes it does, thanks a lot! I came to the same conclusion in parallel with 
some helpful hints from IRC. libcurl used to ship with an outdated 
certificate bundle, but recent versions don't do that anymore. They have a 
lot of useful information on this site:

<http://curl.haxx.se/docs/sslcerts.html>

Meanwhile, I have also discovered an option in the WebKit CURL network 
backend to ignore SSL errors. With that turned on, I could successfully log 
into googlemail and read/cleanup my mail. Logging into gmx.net also worked, 
but apparently the browser still has some bugs with regarding to frames, 
since the main email list was missing... :-D

Best regards,
-Stephan


Other related posts: