cURL / Mailing Lists / curl-library / Single Mail

curl-library

Ftps

From: Luiz Rafael Culik Guimaraes <luiz_at_xharbour.com.br>
Date: Tue, 13 Sep 2005 14:28:17 -0300

Dear Friends

I have some problems with ftps with my self signed certificate
Bellow the ftp transaction(by running an modified ftpupload sample to use
ssl)

* About to connect() to localhost port 21
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 21
< 220 ProFTPD 1.3.0rc2 Server (ProFTPD Default Installation)
[::ffff:127.0.0.1]
> AUTH TLS
< 234 AUTH TLS successful
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=BR/ST=Rio Grande do Sul/L=Sao Lepoldo/O=xHarbour
brasil/OU=xharbour/CN=localhost/emailAddress=luiz_at_xharbour.com.br
* start date: 2005-09-13 15:02:22 GMT
* expire date: 2010-09-12 15:02:22 GMT
* issuer: /C=BR/ST=Rio Grande do Sul/L=Sao Leopoldo/O=xHarbour
brasil/OU=xharbour/CN=localhost/emailAddress=luiz_at_xharbour.com.br
* SSL certificate verify result: error number 1 (19), continuing anyway.
> USER rafael
< 331 Password required for rafael.
> PASS kl6qaxv9
< 230 User rafael logged in.
> PBSZ 0
< 200 PBSZ 0 successful
> PROT P
< 200 Protection set to Private
> PWD
< 257 "/" is current directory.
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||1037|)
* Trying 127.0.0.1... * connected
* Connecting to 127.0.0.1 (127.0.0.1) port 1037
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSL re-using session ID
* Unknown SSL protocol error in connection to localhost:21
* Uploaded unaligned file size (0 out of 577736507914191548 bytes)
* Closing connection #0

Server certificate created with scripts bellow
#!/bin/sh
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
openssl req -new -key server.key -out server.csr
#openssl req -noout -text -in server.csr
openssl genrsa -des3 -out ca.key 1024
#openssl rsa -noout -text -in ca.key
openssl rsa -in ca.key -out ca.key.unsecure
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
#openssl x509 -noout -text -in ca.crt
./sing.sh server.csr
and signed with
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

# make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
# default key expiry set to 5 years but can be changed
default_days = 1825
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0

Also, with this same certificates, i can connect via https and to my
postgresql server with out problem

Regards
Luiz Rafael Culik Guimaraes
www.xharbour.com.br
Received on 2005-09-13