I'm trying to use curl with custom CA's only, but it seems server certificate gets verified against system CA's too.
steps to reproduce: air:~ dima$ mkdir empty air:~ dima$ curl http://www.startssl.com/certs/ca.pem > ca.pem # unrelated global ca air:~ dima$ curl --capath ./empty/ --cacert ca.pem -v https://www.google.com * About to connect() to www.google.com port 443 (#0) * Trying 74.125.143.103... * connected * Connected to www.google.com (74.125.143.103) port 443 (#0) * successfully set certificate verify locations: * CAfile: ca.pem CApath: ./empty/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-SHA * Server certificate: * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com * start date: 2013-03-27 13:28:22 GMT * expire date: 2013-12-31 15:58:50 GMT * subjectAltName: www.google.com matched * issuer: C=US; O=Google Inc; CN=Google Internet Authority * SSL certificate verify ok. ------------------------^^^^^^^^^ how come? google is not signed by startcom... connection works after that, I get some http response. I'm running curl shipped with osx, it's a bit old: air:~ dima$ curl --version curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz I don't have same problem on linux with newer versions, namely curl 7.29.0, openssl 1.0.1e I could find only a few mentions of certificates in curl changelog, it seems they don't apply here, thus the question -- is this a curl bug that was silently fixed, and openssl bug, or operating-system-specific issue? cheers, dima ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
