cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: SSL: Verify cert is OK?

From: jayjwa <jayjwa_at_atr2.ath.cx>
Date: Sat, 26 Jul 2008 07:56:33 -0400

On Wed, 23 Jul 2008, Andy Theuninck wrote:

-> I obtained the certificate like this:
-> $ openssl s_client -connect www.domain.com:443 |tee logfile
->
-> I copied the certificate (including BEGIN and END lines) to a new
-> file, domain.cert

Stop. You're done, put it in a bundle.

cat domain.cert >> ca-bundle.pem

Make sure you have a CA cert:

-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----

of which the lines when decode looks like so:

             X509v3 Basic Constraints:
                 CA:TRUE
             X509v3 Key Usage:
                 Certificate Sign, CRL Sign

and not:

             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate

-> I then generated what I *think* is a ca file thusly:
-> $ openssl x509 -inform PEM -in domain.cert -text -out certdata

This spits both PEM block and decoded block of the cert. You really only need
the PEM encoded block.

-> If I try to use this certificate file, I get an error:
-> $ curl --ca-cert certdata https://www.domain.com
-> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
-> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
-> verify failed
-> More details here: http://curl.haxx.se/docs/sslcerts.html

You probably have the server's certifate, not the root authority that signed
the server's certificate. It's a chain. You want the last one. Also, openssl's
s_client is touchy. You have to put the -CAfile or -CApath last (in my tests)
or else it gives "unknown option"

  openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath
/var/ssl/certs

verify depth is 0
CONNECTED(00000003)
depth=1 /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
verify return:1
depth=0 /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
verify return:1

---
Certificate chain
  0 s:/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled 
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
    i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate 
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
(cert guts)
  1 s:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate 
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
    i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate 
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
(more cert guts)
---
Server certificate
subject=/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled 
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
issuer=/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate 
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
---
Acceptable client certificate CA names
(lots of cert names)
---
SSL handshake has read 8837 bytes and written 361 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
FD7E3FBBD2A4B7C9924DFD787D8B5A6C8721606D36417D85AAF8F13200F2BA57
     Session-ID-ctx:
     Master-Key: 
3AB6F5923921FB2F15C51F0C8AE7CF565ECD35ED6B9460C63D8F047C4DDD3A0AB1F989CA67CD40CB86A584D269F31175
     Key-Arg   : None
     Start Time: 1217067817
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
DONE
There is already a ca bundle in the curl source dist. Just put it where you 
told curl it would be when you built your curl. Here it's 
/usr/share/curl/ca-bundle.pem but I believe that differs from the default.
You can also use a directory of CA cert files in PEM format. Use the c_rehash 
tool from the openssl dist to make the symlink names in the files' directory.
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath 
/var/ssl/certs
in place of:
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CAfile 
/var/ssl/certs/ca-cert-bundle.pem
curl -v --cacert /var/ssl/certs/ca-cert-bundle.pem https://atr2.ath.cx/
* About to connect() to atr2.ath.cx port 443 (#0)
*   Trying 64.179.14.82... connected
* Connected to atr2.ath.cx (64.179.14.82) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /var/ssl/certs/ca-cert-bundle.pem
   CApath: /var/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS handshake, Unknown (4):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled 
Webserver/CN=atr2.ath.cx/e$
*        start date: 2007-05-29 13:53:21 GMT
*        expire date: 2017-05-26 13:53:21 GMT
*        common name: atr2.ath.cx (matched)
*        issuer: /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate 
Authority/CN=atr2.ath.$
* SSL certificate verify ok.
(headers & page)
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2008-07-26