https://bugzilla.novell.com/show_bug.cgi?id=334690 User tom.horsley@att.net added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c5 Thomas Horsley <tom.horsley@att.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|tom.horsley@att.net | --- Comment #5 from Thomas Horsley <tom.horsley@att.net> 2008-06-30 10:07:32 MDT --- Here's the curl -v osu11d0-i:~ # curl -v https://redhawk.ccur.com > /dev/null * About to connect() to redhawk.ccur.com port 443 (#0) * Trying 129.134.60.39... connected * Connected to redhawk.ccur.com (129.134.60.39) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Server hello (2): { [data not shown] * SSLv3, TLS handshake, CERT (11): { [data not shown] * SSLv3, TLS alert, Server hello (2): } [data not shown] * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile d * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile d More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Here's the strace of the attemp to open a cert dir in zypper: osu11d0-i:~ # fgrep cert zypp.trace stat64("/etc/ssl/certs//3c58f906.0", 0xbf8fea8c) = -1 ENOENT (No such file or directory) stat64("/etc/ssl/certs//3c58f906.0", 0xbf8fe4ac) = -1 ENOENT (No such file or directory) And here's the cert exported when I was looking at the same site in firefox: -----BEGIN CERTIFICATE----- MIIFczCCBFugAwIBAgIRAOis1pjbQ+yAGUvIts2zLeAwDQYJKoZIhvcNAQEFBQAw gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 LUhhcmR3YXJlMB4XDTA4MDIyMDAwMDAwMFoXDTEwMDMwNjIzNTk1OVowge8xCzAJ BgNVBAYTAlVTMQ4wDAYDVQQREwUzMzA2OTEQMA4GA1UECBMHRmxvcmlkYTEWMBQG A1UEBxMNUG9tcGFubyBCZWFjaDEaMBgGA1UECRMRUG9tcGFubyBCZWFjaCwgRkwx GzAZBgNVBAkTEjI4ODEgR2F0ZXdheSBEcml2ZTEoMCYGA1UEChMfQ29uY3VycmVu dCBDb21wdXRlciBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDTUlTMRowGAYDVQQLExFD b21vZG8gSW5zdGFudFNTTDEZMBcGA1UEAxMQcmVkaGF3ay5jY3VyLmNvbTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzoozh+GQ7WkUWw+MWAzfOrD5ZfglM3zp A/oul8anxFUuntaAEQLtZsvrPAJQW/P1OUwGUG2V6j66UuQLS0lCKdutblVASAmF qHO71NtLvBgZeQyH9A41/PJL/4z+1sRZr1wJLtRcK6AHzNx83qe+U6XWfAhWxVx/ c7yDgqKjWtUCAwEAAaOCAeIwggHeMB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF lp1L0sNFMB0GA1UdDgQWBBQ36vPr6Y15JS4GoNxvl8jO/LNNHTAOBgNVHQ8BAf8E BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwEQYJYIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQME MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMHsG A1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL1VUTi1VU0VS Rmlyc3QtSGFyZHdhcmUuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNvbW9kby5uZXQv VVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwgYYGCCsGAQUFBwEBBHoweDA7Bggr BgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQWRkVHJ1c3RTZXJ2 ZXJDQS5jcnQwOQYIKwYBBQUHMAKGLWh0dHA6Ly9jcnQuY29tb2RvLm5ldC9VVE5B ZGRUcnVzdFNlcnZlckNBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAEgxVrDfJjTFU fOB8eh8bmbqTF3ngKxyzQvSrcj7yyIw8GepZnkZRb8LVFvIK6BfMgT095F78v7Xd dA06mTO8L37FhXjSnxiU340VkHFdytLXALuVl7siznB5sS+ghnDnR3rLI+ZZhTQK 4UaHfiu0iUkdmXSGuoVeXMPYuG+o8g78uefAG3YMAoHU8qUrfwInDh2Xr2WIqnvu RZbJ00aUaHf4tZE9KNtAD/OMP0EfHkhYSpfEfpqunJp+/v2IS8WP3mUWQ3JBionO KT8/LJT2TFnI3BnLC8sqt7qYKmwOeSujrjgT7ETI8qWL/hwYQNljpJWPEiQwP6lg K6mKm9z3bg== -----END CERTIFICATE----- That's all I can think of to add :-). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.