curl-users
RE: Verifying server
Date: Thu, 29 Aug 2002 16:56:45 -0400
I think you misunderstood some of my questions to be a little too basic,
let me explain a little.
Daniel Stenberg wrote:
>On Wed, 28 Aug 2002, William E. T. wrote:
>
>[I am far from an expert on this, but since no one else responds I can just
>as well keep on blabbering...]
>
>
>
>>Yes. Let's say I'm connecting to server my_secure_server.com, and I want a
>>secure connection and I want to verify that this server is
>>my_secure_server.com. How would I do this?
>>
>>
>
>You have a CA certificate that you tell curl to use to verify the peer with.
>With --cainfo.
>
CA certificate - like verisigns etc. correct? How do I get this? Its
the second ceritficate that is displayed when I do a openssl.exe
s_client -showcerts -connect www.thesecureserver.com:443 Is there a
better way to get the certificate? It included in the link given below
(http://curl.haxx.se/ca-cert-bundle.pem.gz) so I don't have to worry
about obtaining it myself (I'm assuming) so this is now a mute point,
but that's why I was asking what I was.
>>if I have a certificate, then do I need to pay anyone?
>>
>>
>For what?
>
If I want to operate a secure server, then I have to pay a CA for a
certificate. This way when I send the public certificate, the client
can go to the CA and verify it (I do realize you know this, I'm just
explaining my understanding, so if its wrong you can correct it, or if
its right you can see my line of thought). Why am I presenting a
certificate (and not just ":ranomly creating data") if the server has no
way to verify it as coming from me.
>>(like a certificate authority) otherwise couldn't anyone make-up a
>>certificate?
>>
>>
>You don't want just "a certficiate", you want a CA certificate that can
>verify the peer. You need to get one of those. If your peer's certificate is
>signed by one of the CA in this package:
>http://curl.haxx.se/ca-cert-bundle.pem.gz then you can use that.
>
This answer is relevant to the above question about how to get the CA
certificate, but my actual sentence here was meant to be about the
client certificate. You said I need one to send to the server (which is
correct according to my interperatatons of trying to connect via
openSSL, but isn't necessarily ALWAYS True for all servers) when I
wanted to connect VIA ssl, and here I was attempting to explain my
reasoning for asking if I need to purshase a certificate from a CA (like
verisign).
BTW, the CA for the server I'm trying to connect to is verisign, so it
is in that bundle.
>>>You need a CA certificate (bundle) though to verify the peer against.
>>>
>>>
>>A CA certificate (bungle)? Could you please elaborate?
>>
>>
>A bunch of CA certificates. Often called "CA cert bundle".
>
>
Basically all I need to do is get the CA certificate. Then I really
don't need a CA cert bundle, if I know the server I want to connect
through uses a certificate signed by verisign, correct? This is what I
was planning on doing. I guess through the above link I know have the
"CA cert bundle" that you said I needed, but really this was a matter
of you using terminology I didn't understand, not me understanding how
SSL works.
>>If you knows good URLS I don't mind RTFMing I'mjust kinda lost on how to do
>>this.
>>
>>
I have read up some on SSL BTW. I think you are misunderstanding a lot
of my questions to be a little too basic (though my ultimate questions
are basic). Basiclly verifying the server is all I really want to do
with crul for the moment, besides maybe contributing a little to
starting better documentation of it. (and hopfully keeping you guys from
having to deal wiht more e-mail like this).
>I think you need to learn some basic skills on how SSL and certificates work
>and interoperate. I'm afraid I cannot offer any good URLs to such info. I'm
>not very good at it myself.
>
>
Well thank you for what effort you have put into this, as it has been
considerable. If you want to give a quick example (though include the
disclaimer that you didn't test it). and then make me figure out what
the example does that would be kewl. (it might be easier then asnwering
all my questions, I thought).
Thanks,
William
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-08-29