I did this
curl v8.0.1 successfully talks IMAP with a server:
curl imaps://0@imap.gmx.net (omitting credentials here)
curl: (67) Login denied (but login succeeds with credentials)
curl v8.20.0 produces an error for the exact same command:
curl imaps://0@imap.gmx.net
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
This makes no sense:
Curl produces an error.
--> And the error says, look at this URL.
--> And the URL describes a fallback chain, which, if followed, would not produce said error in the first place.
I expected the following
I expect curl to do what the manual claims, namely use the following very useful fallback chain:
If you are using the curl command line tool on Windows, curl searches for a CA cert file named curl-ca-bundle.crt in these directories and in this order:
- application's directory
- current working directory
- Windows System directory (e.g. C:\Windows\System32)
- Windows Directory (e.g. C:\Windows)
- all directories along %PATH%
- According to this fallback chain, the certificate error above should not occur, since "application's directory" already is the n°1 lookup-priority !
- Likewise, the
--cacert curl-ca-bundle.crt workaround should neither be needed nor work, since "application's directory" already is the n°1 lookup-priority !
So either the manual is wrong or not adhered to.
Either way, this is confusing for users and should be fixed.
💡 concrete suggestions for how to fix this issue:
- re-enable the fallback chain advertised on the error help page
- If a higher-priority cert storage location lacks the needed certificate, look in lower-priority locations. I.e. make the storage locations not "all or nothing", but available for individual lookups, so curl can locate a matching cert across stores instead of failing outright at first try. Comparison: If my favourite bookstore does not have my book, I don't have to give up but can go to another bookstore.
curl/libcurl version
curl 8.20.0 (x86_64-w64-mingw32) libcurl/8.20.0 LibreSSL/4.3.1 zlib/1.3.1.zlib-ng brotli/1.2.0 zstd/1.5.7 WinIDN libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.69.0 ngtcp2/1.22.1 nghttp3/1.15.0 WinLDAP
Release-Date: 2026-04-29
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt mqtts pop3 pop3s rtsp scp sftp smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy HTTPSRR IDN IPv6 Kerberos Largefile libz NativeCA PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd
operating system
Windows 10
related issues:
I did this
curl v8.0.1 successfully talks IMAP with a server:
curl imaps://0@imap.gmx.net(omitting credentials here)curl: (67) Login denied(but login succeeds with credentials)curl v8.20.0 produces an error for the exact same command:
This makes no sense:
Curl produces an error.
--> And the error says, look at this URL.
--> And the URL describes a fallback chain, which, if followed, would not produce said error in the first place.
I expected the following
I expect curl to do what the manual claims, namely use the following very useful fallback chain:
--cacert curl-ca-bundle.crtworkaround should neither be needed nor work, since "application's directory" already is the n°1 lookup-priority !So either the manual is wrong or not adhered to.
Either way, this is confusing for users and should be fixed.
💡 concrete suggestions for how to fix this issue:
curl/libcurl version
operating system
Windows 10
related issues: