I’m trying to follow the SSL certificate verification process outlined at https://dev.twitter.com/docs/security/using-ssl. The curl command example is curl -3 -capath file --ssl https://api.twitter.com. I believe the curl option for capath needs to be –capath to work, with the additional hyphen, otherwise curl thinks the file path is an additional url and adds a curl: (3) malformed message to the top of the subsequent html response from the api.twitter.com call (it can look like the certificate is verified if you aren’t looking closely). Also, the documentation mentions cafile as an alternative to capath. That is probably supposed to be cacert, as I don’t think cafile is an option.
Even with that corrected, I’m not getting an SSL verification failure error even if I point the --capath at a self-signed certificate. I’m on OSX 10.8 – does curl automatically look in other paths for common certificates if I’m setting capath? If it were actually evaluating just that path, I wouldn’t expect the SSL certificate verify ok. message and the html content that I’m seeing. I’m using curl 7.24.0. Thanks!
