On 27-Nov-23 10:03, Luis Carlos Chalaca Figueira via curl-library wrote:
Your openssl x509 command will only extract one certificate from the bundle. You don't need it. cacert.pem is a bundle of many.Hello,While developing a crawler I realized that some websites that can be displayed by Chrome and Firefox would throw SSL errors on libcurl requestsExs: SSL connect error SSL routines::unsafe legacy renegotiation disabled SSL peer certificate or SSH remote key was not OKTherefore I had the idea of adding the certificates used by firefox to prevent that.I downloaded the cacert.pem file from https://curl.se/docs/caextract.html and added it to the ca store with the following commands:$ openssl x509 -in cacert-Mozzila.pem -out cacert-Mozzila.crt $ sudo cp cacert-Mozzila.crt /usr/local/share/ca-certificates $ sudo update-ca-certificatesHowever those sites continue to throw dose errors. What have I missed to be able to get the same responses as firefox?
copy the downloaded cacert.pem to whatever location and/or name your distribution needs. Or symlink from there to your download location.
Note that this doesn't add the bundle to the system default; it replaces the system default. To add you need to merge the bundles, which is a bit more involved. In most cases, simply using the Mozilla bundle suffices.
As Daniel noted, legacy renegotiation has nothing to do with the ca store. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
