cURL / Mailing Lists / curl-users / Single Mail

curl-users

FTP over TLS with a client certificate

From: Alex Boag-Munroe <alex.munroe_at_ukcrd.com>
Date: Mon, 24 Sep 2012 12:20:59 +0100

Hi folks,

I'm trying to figure out how to get curl to ignore that the PEM client certificate for an FTP over TLS connection has expired. I've tried passing -k to the command line but everything seems to be getting hung up on the fact that the client cert expired today.

I'm aware that the proper solution is to get a new client certificate issued by the certificate authority however they're being incredibly slow about it and meanwhile we still need to be able to transfer files to the remote ftp.

Command line I'm using:

curl --insecure -v -S --ftp-ssl --ftp-method singlecwd --cacert /etc/SERVICE/cacert.pem --cert /etc/SERVICE/client-cert.pem:PASSWORD --key /etc/XXXX/client-key.pem --key-type PEM ftp://USER:PASSWORD\@HOST/remote/path/

Output as a result of using -v:

* About to connect() to HOST port 21 (#0)
* Trying IPADDRESS...
* connected
* Connected to HOST (IPADDRESS) port 21 (#0)
< 220 (IBM WebSphere DataPower)
> AUTH SSL
< 504 unknown security mechanism
> AUTH TLS
< 234 AUTH TLS OK starting TLS negotiation
* successfully set certificate verify locations:
* CAfile: /etc/SERVICE/cacert.pem
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
* Closing connection #0
curl: (35) error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired

There's some issue with the people who issue the certificates and they're not being particularly helpful because "other people can still connect to us fine despite the cert being expired".

So I'm curious as to how this can be overridden, if it all, via curl.

Thank you ever so much for any assistance.

The information contained in this message is confidential and intended solely for the recipient to whom it is addressed. If you are not the aforementioned recipient, any: use, copying, dissemination or disclosure of this information is prohibited and potentially unlawful. If you have received this message in error, please inform the sender.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-09-24