Fix for Octave urlread causing Peer certificate ca

2019-06-27 05:55发布

问题:

Question

How to the fix (not workaround) for Octave (suppose libcurl bundled with octave) urlread causing Peer certificate cannot be authenticated with given CA certificates?

Having read pkg install from forge in windows, it looks the Octave maintainer is aware of the issue with Octave 4.0 but it seems no fix is available.

Issue

It looks the urlread of Octave on Windows does not work for HTTPS because the server certificate of such as https://octave.sourceforge.io cannot be authenticated with the trusted certificates which urlread (which seems to call curl) refers to.

For example, share\octave\4.2.0\m\pkg\private\get_forge_pkg.m line 64 is causing the issue when trying to run pkg install -forge to install packages.

## Try get the list of all packages.
[html, succ] = urlread ("http://packages.octave.org/list_packages.php");    
if (! succ)
  error ("get_forge_pkg: could not read URL, please verify internet connection");
endif

Running urlread from the command window shows the error below.

>> [html, status, msg] = urlread ("http://packages.octave.org/list_packages.php");
>> msg
msg = Peer certificate cannot be authenticated with given CA certificates

Tried google.com over HTTPS and the same.

>> [html, status, msg] = urlread ("https://google.com");
>> msg
msg = Peer certificate cannot be authenticated with given CA certificates

IE and Google Chrome root certificates can verify the sourceforge certificate.

Tried system as below.

#[html, succ] = urlread ("http://packages.octave.org/list_packages.php");
sURLLink="https://octave.sourceforge.io/list_packages.php"
command=['curl --insecure ','"',sURLLink,'"'];
[succ, html] = system(command)
#if (! succ)
if (succ != 0)
  error ("get_forge_pkg: could not read URL, please verify internet connection");
endif

However it caused another error.

>> pkg install -forge symbolic
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   559  100   559    0     0    389      0  0:00:01  0:00:01 --:--:--   393
sURLLink = https://octave.sourceforge.io/list_packages.php
succ = 0
html = bim
bsltl
cgi
....

error: get_forge_pkg: package NAME exists, but index page not available
error: called from
    get_forge_pkg at line 74 column 7
    get_forge_download at line 26 column 12
    pkg at line 382 column 29

Related information

  • pkg install from forge in windows
  • urlread(), urlwrite() don't work for https pages in Octave for Windows
  • windows libcurl - peer certificate cannot be authenticated with given ca certificates
  • Getting error in Curl - Peer certificate cannot be authenticated with known CA certificates
  • SSL CA Certificates - LibCurl C Language (Linux)

Environment

  1. octave-4.2.0-w64 on Windows 7 Enterprise 64 bit Version 6.1.7601 Service Pack 1 Build 7601
  2. Octave 4.0.3 on Windows 10 Pro 64 bit Version 10.0.14393 Build 14393

回答1:

  1. You get the "Peer certificate cannot be authenticated" error because your CA store doesn't contain the necessary CA cert. You can get an updated bundle from here.
  2. The reason your attempt to use the curl command line tool doesn't work is that you didn't use -L, --location option to tell curl to follow redirects, so you just got the 303 response that http://packages.octave.org/list_packages.php returns. If you'd use -L, you'll see that it'll redirect you twice over to a HTTPS:// URL - only to have you be forced to fix case (1) anyway.