curl-users
Re: SSL: Verify cert is OK?
Date: Sat, 26 Jul 2008 07:56:33 -0400
On Wed, 23 Jul 2008, Andy Theuninck wrote:
-> I obtained the certificate like this:
-> $ openssl s_client -connect www.domain.com:443 |tee logfile
->
-> I copied the certificate (including BEGIN and END lines) to a new
-> file, domain.cert
Stop. You're done, put it in a bundle.
cat domain.cert >> ca-bundle.pem
Make sure you have a CA cert:
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
of which the lines when decode looks like so:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
and not:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
-> I then generated what I *think* is a ca file thusly:
-> $ openssl x509 -inform PEM -in domain.cert -text -out certdata
This spits both PEM block and decoded block of the cert. You really only need
the PEM encoded block.
-> If I try to use this certificate file, I get an error:
-> $ curl --ca-cert certdata https://www.domain.com
-> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
-> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
-> verify failed
-> More details here: http://curl.haxx.se/docs/sslcerts.html
You probably have the server's certifate, not the root authority that signed
the server's certificate. It's a chain. You want the last one. Also, openssl's
s_client is touchy. You have to put the -CAfile or -CApath last (in my tests)
or else it gives "unknown option"
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath
/var/ssl/certs
verify depth is 0
CONNECTED(00000003)
depth=1 /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
verify return:1
depth=0 /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
verify return:1
---
Certificate chain
0 s:/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
(cert guts)
1 s:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
(more cert guts)
---
Server certificate
subject=/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
issuer=/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
---
Acceptable client certificate CA names
(lots of cert names)
---
SSL handshake has read 8837 bytes and written 361 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
FD7E3FBBD2A4B7C9924DFD787D8B5A6C8721606D36417D85AAF8F13200F2BA57
Session-ID-ctx:
Master-Key:
3AB6F5923921FB2F15C51F0C8AE7CF565ECD35ED6B9460C63D8F047C4DDD3A0AB1F989CA67CD40CB86A584D269F31175
Key-Arg : None
Start Time: 1217067817
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
There is already a ca bundle in the curl source dist. Just put it where you
told curl it would be when you built your curl. Here it's
/usr/share/curl/ca-bundle.pem but I believe that differs from the default.
You can also use a directory of CA cert files in PEM format. Use the c_rehash
tool from the openssl dist to make the symlink names in the files' directory.
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath
/var/ssl/certs
in place of:
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CAfile
/var/ssl/certs/ca-cert-bundle.pem
curl -v --cacert /var/ssl/certs/ca-cert-bundle.pem https://atr2.ath.cx/
* About to connect() to atr2.ath.cx port 443 (#0)
* Trying 64.179.14.82... connected
* Connected to atr2.ath.cx (64.179.14.82) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /var/ssl/certs/ca-cert-bundle.pem
CApath: /var/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS handshake, Unknown (4):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/e$
* start date: 2007-05-29 13:53:21 GMT
* expire date: 2017-05-26 13:53:21 GMT
* common name: atr2.ath.cx (matched)
* issuer: /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.$
* SSL certificate verify ok.
(headers & page)
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-07-26