curl-users
Re: SSL: Verify cert is OK?
Date: Sat, 26 Jul 2008 07:56:33 -0400
On Wed, 23 Jul 2008, Andy Theuninck wrote:
-> I obtained the certificate like this:
-> $ openssl s_client -connect www.domain.com:443 |tee logfile
->
-> I copied the certificate (including BEGIN and END lines) to a new
-> file, domain.cert
Stop. You're done, put it in a bundle.
cat domain.cert >> ca-bundle.pem
Make sure you have a CA cert:
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
of which the lines when decode looks like so:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
and not:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
-> I then generated what I *think* is a ca file thusly:
-> $ openssl x509 -inform PEM -in domain.cert -text -out certdata
This spits both PEM block and decoded block of the cert. You really only need
the PEM encoded block.
-> If I try to use this certificate file, I get an error:
-> $ curl --ca-cert certdata https://www.domain.com
-> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
-> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
-> verify failed
-> More details here: http://curl.haxx.se/docs/sslcerts.html
You probably have the server's certifate, not the root authority that signed
the server's certificate. It's a chain. You want the last one. Also, openssl's
s_client is touchy. You have to put the -CAfile or -CApath last (in my tests)
or else it gives "unknown option"
openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath
/var/ssl/certs
verify depth is 0
CONNECTED(00000003)
depth=1 /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
verify return:1
depth=0 /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
verify return:1
--- Certificate chain 0 s:/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx (cert guts) 1 s:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx (more cert guts) --- Server certificate subject=/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx issuer=/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx --- Acceptable client certificate CA names (lots of cert names) --- SSL handshake has read 8837 bytes and written 361 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: FD7E3FBBD2A4B7C9924DFD787D8B5A6C8721606D36417D85AAF8F13200F2BA57 Session-ID-ctx: Master-Key: 3AB6F5923921FB2F15C51F0C8AE7CF565ECD35ED6B9460C63D8F047C4DDD3A0AB1F989CA67CD40CB86A584D269F31175 Key-Arg : None Start Time: 1217067817 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE There is already a ca bundle in the curl source dist. Just put it where you told curl it would be when you built your curl. Here it's /usr/share/curl/ca-bundle.pem but I believe that differs from the default. You can also use a directory of CA cert files in PEM format. Use the c_rehash tool from the openssl dist to make the symlink names in the files' directory. openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CApath /var/ssl/certs in place of: openssl s_client -connect atr2.ath.cx:443 -verify -pause -showcerts -CAfile /var/ssl/certs/ca-cert-bundle.pem curl -v --cacert /var/ssl/certs/ca-cert-bundle.pem https://atr2.ath.cx/ * About to connect() to atr2.ath.cx port 443 (#0) * Trying 64.179.14.82... connected * Connected to atr2.ath.cx (64.179.14.82) port 443 (#0) * successfully set certificate verify locations: * CAfile: /var/ssl/certs/ca-cert-bundle.pem CApath: /var/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS handshake, Unknown (4): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: /C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled Webserver/CN=atr2.ath.cx/e$ * start date: 2007-05-29 13:53:21 GMT * expire date: 2017-05-26 13:53:21 GMT * common name: atr2.ath.cx (matched) * issuer: /C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate Authority/CN=atr2.ath.$ * SSL certificate verify ok. (headers & page) ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2008-07-26