curl-users
Re: Probs with client certificates
Date: Thu, 16 Oct 2003 10:21:13 +0200
Hi,
On Thu, Oct 16, 2003 at 08:57:25AM +0200, Daniel Stenberg wrote:
> On Wed, 15 Oct 2003, Georg Horn wrote:
>
> I'm far from an expert on this, but I'll give it a shot.
Thanks for listening. ;-)
> > $ curl-7.10.7/src/curl -debug -v --cert mgb2003.pem --cacert \
> > postbank-komplett.pem -k https://www2.postbank-banking.de/xmlapi/OB
>
> You should --cacert OR -k, as they kind of defeat each others purposes. But I
> believe -k is ignored in this case.
Ok, that sounds logical, so let's start with the simplest case:
$ curl-7.10.7/src/curl -v https://www2.postbank-banking.de/xmlapi/OB
* About to connect() to www2.postbank-banking.de:443
* Connected to www2.postbank-banking.de (62.180.72.66) port 443
* error setting certificate verify locations
* Closing connection #0
curl: (60) error setting certificate verify locations
Adding -k tells us that a certificate is required:
$ curl-7.10.7/src/curl -v -k https://www2.postbank-banking.de/xmlapi/OB
* About to connect() to www2.postbank-banking.de:443
* Connected to www2.postbank-banking.de (62.180.72.66) port 443
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=DE/ST=NRW/L=Bonn/O=Deutsche Postbank AG/OU=Postbank Electronic Banking/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www2.postbank-banking.de
* start date: 2003-01-16 00:00:00 GMT
* expire date: 2004-01-16 23:59:59 GMT
* common name: www2.postbank-banking.de (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
> GET /xmlapi/OB HTTP/1.1
User-Agent: curl/7.10.7 (i686-pc-linux-gnu) libcurl/7.10.7 OpenSSL/0.9.7c zlib/1.1.4
Host: www2.postbank-banking.de
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
< HTTP/1.1 401 Authorization Required
< Date: Thu, 16 Oct 2003 08:01:55 GMT
< Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7b mod_jk
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Requires valid Client-Certificate"
[...]
And adding the cert gives me an ssl-error:
$ > curl-7.10.7/src/curl -v -k --cert mgb2003.pem https://www2.postbank-banking.de/xmlapi/OB
* About to connect() to www2.postbank-banking.de:443
* Connected to www2.postbank-banking.de (62.180.72.66) port 443
Enter PEM pass phrase:
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=DE/ST=NRW/L=Bonn/O=Deutsche Postbank AG/OU=Postbank Electronic Banking/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www2.postbank-banking.de
* start date: 2003-01-16 00:00:00 GMT
* expire date: 2004-01-16 23:59:59 GMT
* common name: www2.postbank-banking.de (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
> GET /xmlapi/OB HTTP/1.1
User-Agent: curl/7.10.7 (i686-pc-linux-gnu) libcurl/7.10.7 OpenSSL/0.9.7c zlib/1.1.4
Host: www2.postbank-banking.de
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
* SSL read error: 1
* Connection #0 left intact
curl: (56) SSL read error: 1
* Closing connection #0
I think here we have a problem/bug?
And adding --cacert instead of -k again results in:
$ curl-7.10.7/src/curl -v --cacert postbank-komplett.pem --cert mgb2003.pem https://www2.postbank-banking.de/xmlapi/OB
* About to connect() to www2.postbank-banking.de:443
* Connected to www2.postbank-banking.de (62.180.72.66) port 443
Enter PEM pass phrase:
* SSL certificate problem, verify that the CA cert is OK
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK
> This looks as if your CA cert isn't good enough, but perhaps the error
> message is misleading/wrong.
I think the CA cert should be good, as it works with "openssl s_client".
See the logfile that i attached to my previous post. That log was generated
with:
$ openssl s_client -connect www2.postbank-banking.de:443 -prexit -cert mgb2003.pem -CAfile postbank-komplett.pem
> I believe your client cert needs to be your certificate and key concatenated,
It is.
Bye,
Georg
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
Received on 2003-10-16