cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Verifying self signed certificates

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Tue, 24 Jan 2012 21:31:09 -0500

On Tue, Jan 24, 2012 at 7:08 PM, Shivam Patel <shivam_at_shivampatel.net>wrote:

> On 21 January 2012 02:09, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:
>
>> On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <shivam.unleashed_at_gmail.com
>> > wrote:
>>
>>> Hi All,
>>> I need to verify the server certificate for a server that sends a self
>>> signed certificate. I am using the curl command line tool.
>>> I read http://curl.haxx.se/mail/archive-2011-02/0049.html in which
>>> Daniel says there is no way we can do it over command line (or so I
>>> inferred).
>>>
>>> Can someone tell me a way I can verify this certificate. As mentioned in
>>>
>>> http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ , I
>>> added the PEM key to my CA cert store, but even that doesn't work for me.
>>>
>>> I reckon the problem is that I need to add the CA certificate to the
>>> certificate store (or for --cacert option) and not the Server Certificate.
>>> For self signed certificate, there is no CA - does that mean that the
>>> Certificate itself can be deemed as the CA certificate ?
>>>
>>
>> I have a server at home that uses a certificate signed by my own internal
>> CA, which has its own self-signed certificate. I just tried accessing the
>> server with curl:
>>
>> curl -v https://server.domain.com/
>>
>> and got back
>>
>> * Peer certificate cannot be authenticated with known CA certificates
>>
>> Then I went to the server, pulled its CA cert and saved it locally and
>> tried again:
>>
>> curl -v --cacert ca.pem https://server.domain.com/
>>
>> and it validated OK, so curl can definitely handle a self-signed CA.
>> Actually, if you follow the CA chain from any server cert you'll find a
>> self-signed certificate from Verisign, Thawte, or whomever. So, if your
>> server certificate is self-signed you ought to be able to save a copy and
>> use it with the --cacert flag.
>>
>> As I read Daniel's email that you referenced, what he's saying is that he
>> doesn't know a convenient way to pull the server's CA cert rather than the
>> server's own cert4l. I think this may do it:
>>
>> openssl s_client -showcerts -connect server.com:443 > certs.pem
>>
>> You can then use certs.pem in my previous curl command line.
>>
>> Ralph Mitchell
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>>
> Ralph, Thanks for your comments.
> Well I've already tried what you mentioned. It didn't work. Is it so
> because there is no issuer in the CA chain for the certificate sent by the
> server? Does curl expect at least one issuer CA in the CA chain ?
> The certificate I am trying to validate using curl is
> https://download.finratraqs.org/
>
> I have a couple questions for this cert:
> 1.) Since this is a self signed cert, shouldn't "Issued to" and "Issued
> by" CN fields ideally match ?
> 2.) If this isn't self signed, and was issued by a self signed CA, then
> why isn't that CA cert showing up in the Certification path.
>
> Any thoughts will be appreciated !
> Also if anyone of you can successfully validate the cert from the
> aforementioned URL, kindly share the flags/process.
>

 It's not a self-signed certificate. The certificate shows:

openssl x509 -noout -in finratraqs.pem -issuer -subject
issuer= /CN=NasdaqOMX Web Security Framework
subject= /C=US/ST=New York/L=New York/O=Nasdaq Stock Market/OU=Nasdaq
OMX/CN=download.finratraqs.org

You'd need the certificate from the issuer, and possibly its issuer, going
back to a CA cert somewhere, to be able to validate the entire chain.

Perhaps more importantly, when I go to that web page in Firefox and accept
the certificate exception, the page I get back just has:

           "You do not have permission to view this directory or page
             using the credentials that you supplied."

The last few words, "credentials that you supplied", suggest to me that I
should login with a userid and password on some other web page, be handed a
cookie or other token, and then be transferred to the download site. Or
possibly I ought to have a certificate or smart card in order to
authenticate to the download server.

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-25