Root certificate verification curl code example bug


#1

I’m trying to follow the SSL certificate verification process outlined at https://dev.twitter.com/docs/security/using-ssl. The curl command example is curl -3 -capath file --ssl https://api.twitter.com. I believe the curl option for capath needs to be –capath to work, with the additional hyphen, otherwise curl thinks the file path is an additional url and adds a curl: (3) malformed message to the top of the subsequent html response from the api.twitter.com call (it can look like the certificate is verified if you aren’t looking closely). Also, the documentation mentions cafile as an alternative to capath. That is probably supposed to be cacert, as I don’t think cafile is an option.

Even with that corrected, I’m not getting an SSL verification failure error even if I point the --capath at a self-signed certificate. I’m on OSX 10.8 – does curl automatically look in other paths for common certificates if I’m setting capath? If it were actually evaluating just that path, I wouldn’t expect the SSL certificate verify ok. message and the html content that I’m seeing. I’m using curl 7.24.0. Thanks!


#2

Also, I think you need http.use_ssl = true in the ruby example somewhere before the request, otherwise I got an error that looked like this (with ruby 1.9.3):
ruby-1.9.3-p362/lib/ruby/1.9.1/net/protocol.rb:141:in `read_nonblock’: Connection reset by peer (Errno::ECONNRESET)

I’m also seeing the same issue here where I receive #Net::HTTPOK:0x007fae73958520 no matter what value I put in RootCA.


#3

So the second half of the posts above (the “verification never fails” issue) seems to be related to the way Apple patches OpenSSL (http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.c), which defaults back to system roots if local certificates fail. I’m not sure there is a straight forward way on OSX to verify against the “minimum number of root certificates” as the documentation suggests, but if someone knows one I’d love to hear about it.