Wind River Support Network


LIN7-8302 : WRL7 and IDP curl can't verify server certificate from staging HDC

Created: Jun 21, 2017    Updated: Sep 8, 2018
Resolved Date: Jul 23, 2017
Found In Version:
Fix Version:
Severity: Standard
Applicable for: Wind River Linux 7
Component/s: Userspace


On WRLinux 7/IDP, when using curl to verify server certificate from staging HDC (, the verification will fail. 

(Since HDC agent is using libcurl for file transfer, it will fail for the same reason. Using curl command is just an easy way to reproduce the issue though)

The following is the command and the output:

root@WR-LX-F620:~# curl -v -X GET
* Rebuilt URL to:
* Hostname was NOT found in DNS cache
*   Trying
* Connected to ( port 443 (#0)
* found 169 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


The issue can be solved by:
- update gnutls (curl is built with gnutls by default) from 3.3.5 to 3.3.17 (same version as in WRLinux 8)
- update CA root certificate bundle in /etc/ssl/cert/ca-certificates.crt (it doesn't contains the root certificate that signed the server certificate from HDC)

Another way to fix this is to build curl with Openssl:
- change curl recipe to build it with ssl
  PACKAGECONFIG = "${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)} ssl zlib"

The second fix works for WRLinux 7, but IDP build will fail, since IDP disabled DES in openssl, but curl NTLM include des.h and the checking in des.h fails the compile.

Steps to Reproduce

On a WRLinux7/IDP system, issue the curl GET command on staging HDC, the server verification will fail as described in "Description" section.

Other Downloads

Live chat