cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Verifying self signed certificates

From: Shivam Patel <shivam_at_shivampatel.net>
Date: Tue, 24 Jan 2012 22:08:32 -0500

On 24 January 2012 21:31, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:

> On Tue, Jan 24, 2012 at 7:08 PM, Shivam Patel <shivam_at_shivampatel.net>wrote:
>
>> On 21 January 2012 02:09, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:
>>
>>> On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <
>>> shivam.unleashed_at_gmail.com> wrote:
>>>
>>>> Hi All,
>>>> I need to verify the server certificate for a server that sends a self
>>>> signed certificate. I am using the curl command line tool.
>>>> I read http://curl.haxx.se/mail/archive-2011-02/0049.html in which
>>>> Daniel says there is no way we can do it over command line (or so I
>>>> inferred).
>>>>
>>>> Can someone tell me a way I can verify this certificate. As mentioned
>>>> in
>>>>
>>>> http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ , I
>>>> added the PEM key to my CA cert store, but even that doesn't work for me.
>>>>
>>>> I reckon the problem is that I need to add the CA certificate to the
>>>> certificate store (or for --cacert option) and not the Server Certificate.
>>>> For self signed certificate, there is no CA - does that mean that the
>>>> Certificate itself can be deemed as the CA certificate ?
>>>>
>>>
>>> I have a server at home that uses a certificate signed by my own
>>> internal CA, which has its own self-signed certificate. I just tried
>>> accessing the server with curl:
>>>
>>> curl -v https://server.domain.com/
>>>
>>> and got back
>>>
>>> * Peer certificate cannot be authenticated with known CA
>>> certificates
>>>
>>> Then I went to the server, pulled its CA cert and saved it locally and
>>> tried again:
>>>
>>> curl -v --cacert ca.pem https://server.domain.com/
>>>
>>> and it validated OK, so curl can definitely handle a self-signed CA.
>>> Actually, if you follow the CA chain from any server cert you'll find a
>>> self-signed certificate from Verisign, Thawte, or whomever. So, if your
>>> server certificate is self-signed you ought to be able to save a copy and
>>> use it with the --cacert flag.
>>>
>>> As I read Daniel's email that you referenced, what he's saying is that
>>> he doesn't know a convenient way to pull the server's CA cert rather than
>>> the server's own cert4l. I think this may do it:
>>>
>>> openssl s_client -showcerts -connect server.com:443 > certs.pem
>>>
>>> You can then use certs.pem in my previous curl command line.
>>>
>>> Ralph Mitchell
>>>
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>>> FAQ: http://curl.haxx.se/docs/faq.html
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>>
>> Ralph, Thanks for your comments.
>> Well I've already tried what you mentioned. It didn't work. Is it so
>> because there is no issuer in the CA chain for the certificate sent by the
>> server? Does curl expect at least one issuer CA in the CA chain ?
>> The certificate I am trying to validate using curl is
>> https://download.finratraqs.org/
>>
>> I have a couple questions for this cert:
>> 1.) Since this is a self signed cert, shouldn't "Issued to" and "Issued
>> by" CN fields ideally match ?
>> 2.) If this isn't self signed, and was issued by a self signed CA, then
>> why isn't that CA cert showing up in the Certification path.
>>
>> Any thoughts will be appreciated !
>> Also if anyone of you can successfully validate the cert from the
>> aforementioned URL, kindly share the flags/process.
>>
>
> It's not a self-signed certificate. The certificate shows:
>
> openssl x509 -noout -in finratraqs.pem -issuer -subject
> issuer= /CN=NasdaqOMX Web Security Framework
> subject= /C=US/ST=New York/L=New York/O=Nasdaq Stock Market/OU=Nasdaq
> OMX/CN=download.finratraqs.org
>
> You'd need the certificate from the issuer, and possibly its issuer, going
> back to a CA cert somewhere, to be able to validate the entire chain.
>
> Perhaps more importantly, when I go to that web page in Firefox and accept
> the certificate exception, the page I get back just has:
>
> "You do not have permission to view this directory or page
> using the credentials that you supplied."
>
> The last few words, "credentials that you supplied", suggest to me that I
> should login with a userid and password on some other web page, be handed a
> cookie or other token, and then be transferred to the download site. Or
> possibly I ought to have a certificate or smart card in order to
> authenticate to the download server.
>
> Ralph Mitchell
>
>
> Hi Ralph,
You are exactly right. This site requires a client side cert. In my curl
command line, I've got it to work and it actually works fine. The only
problem is that I am using the -k flag right now and I don't like using it.
The whole point of this exercise is to do away with the -k flag and
properly validate the server cert.
Mostly when I see certificates via the browser, I usually see the entire
chain. This was unique in this respect (due to maybe some webserver setting
or something) that it doesn't provide the entire chain and hence these
issues in validating it.

Thanks for your feedback, hopefully I should be able to make them to send
me the CA certs.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-25