3

I am dealing with a baffling situation regarding cURL and its CApath and CAcert values, as cURL behaves differently for two users on the same system (SUSE 11 SLES).

For the first user, cURL fails, and its output shows CAfile is set, but CApath is not. For the second user, it is the opposite, and cURL works.

Neither user has a .curlrc file (unless it has a different name, I tried a find on ".curlrc"). Issuing "curl-config --ca" returns nothing for both users. "which curl" gives /usr/bin/curl for both users. I did not see any difference on .bashrc or .bash_profile between the users.

What may be the cause of such behavior?

EDIT: as I was ready to post my question, I noticed one cURL is using TLSv1, while the other, SSLv3. Maybe this is the cause of the problem? Even so, I do not see a reason for the different behavior.

First user:

> curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
*   Trying 192.30.253.113...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to github.com (192.30.253.113) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):

[more output]

* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

For the second user:

> curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.253.113... connected
* Connected to github.com (192.30.253.113) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):

[more output, download successful]
Improve this question

1 Answer 1

Reset to default
1

The two runs differ in how CAfile and CApath are set. Maybe this is a result of each user's local environment or settings from curl's standpoint.

I noticed the question is four years old and this answer may be a bit too late. However, when I try the same command today on Ubuntu 21.04, the download is successful. The full output follows:

$ curl -v -L https://github.com/arq5x/lumpy-sv/archive/0.2.13.tar.gz -o lumpy-sv-0.2.13.tar.gz
210324_135906
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.114.4:443...
* Connected to github.com (140.82.114.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2379 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Mar 12 00:00:00 2021 GMT
*  expire date: Mar 23 23:59:59 2022 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55e5ed06c4b0)
} [5 bytes data]
> GET /arq5x/lumpy-sv/archive/0.2.13.tar.gz HTTP/2
> Host: github.com
> user-agent: curl/7.74.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302 
< server: GitHub.com
< date: Wed, 24 Mar 2021 17:59:06 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< location: https://codeload.github.com/arq5x/lumpy-sv/tar.gz/0.2.13
< cache-control: max-age=0, private
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-6832eced.js gist.github.com/socket-worker-6832eced.js
< content-length: 122
< x-github-request-id: 928E:7076:7319E:A5F86:605B7DEA
< 
* Ignoring the response-body
{ [122 bytes data]
100   122  100   122    0     0    446      0 --:--:-- --:--:-- --:--:--   448
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://codeload.github.com/arq5x/lumpy-sv/tar.gz/0.2.13'
*   Trying 140.82.113.9:443...
* Connected to codeload.github.com (140.82.113.9) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2376 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Mar  4 00:00:00 2021 GMT
*  expire date: Mar  9 23:59:59 2022 GMT
*  subjectAltName: host "codeload.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55e5ed06c4b0)
} [5 bytes data]
> GET /arq5x/lumpy-sv/tar.gz/0.2.13 HTTP/2
> Host: codeload.github.com
> user-agent: curl/7.74.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< access-control-allow-origin: https://render.githubusercontent.com
< content-disposition: attachment; filename=lumpy-sv-0.2.13.tar.gz
< content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< content-type: application/x-gzip
< etag: "20cc5ea746cf5762747447695b18c83a53d93ac9c617dbecf30c1f57774ce1fe"
< strict-transport-security: max-age=31536000
< vary: Authorization,Accept-Encoding
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< date: Wed, 24 Mar 2021 17:59:06 GMT
< x-github-request-id: 8FE7:06F0:D805C:194103:605B7DEA
< 
{ [881 bytes data]
100 54.0M    0 54.0M    0     0  9896k      0 --:--:--  0:00:05 --:--:-- 11.0M
* Connection #1 to host codeload.github.com left intact
$

Note:

  • there are redirections
  • both CAfile and CApath are set

I hope this helps to resolve the issue, if still pertinent.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .