> From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of > Viktor Dukhovni > Sent: Wednesday, 26 April, 2023 13:51 > > On Wed, Apr 26, 2023 at 07:34:10PM +0000, Michael Wojcik via openssl- > users wrote: > > > > My question: if curl is working fine, can'I conclude my Apache > configuration and my certificates are fine ? > > > > If you didn't build curl yourself, there's no easy way to know what > > options were used when compiling it; but I believe by default it does > > not attempt to validate the peer's certificate chain. You have to use > > options such as --cacert or --capath to do basic validation, --crlfile > > to check against a CRL, --cert-status to check OCSP stapling if the > > peer provides it, and so on. > > This is not accurate. Curl will do WebPKI certificate verification by default, and > fail hard when the certificate does not match. To get unvalidated "https" > connections, the "-k" option is required to opt out of validation. Sorry, my mistake. I see now from the curl documentation that it has a collection of trust anchors it ships with. Since the OP is either using a private CA or self-signed entity certificates (it's not clear from the original message), curl's stock set of trust anchors obviously shouldn't work for verifying their server. But the OP didn't provide a curl command line so it's not clear what tests were performed. -- Michael Wojcik
