cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Unknown SSL protocol error in connection

From: <Jeff_Curley_at_playstation.sony.com>
Date: Mon, 24 Nov 2008 18:08:50 -0800

Well what we are trying to accomplish is to get SSL working on CellOS so
that a PS3 user can hit a https server set of our own creation that
performs webservices. Currently we use our own hand written HTTP client
that has no support for SSL but it is convenient because it cross compiles
on WIN32, LINUX, PS2, PSP, and PS3. On the server side turning on SSL
support is trivial.

We started looking at libcurl because it already interfaces an SSL client,
and frankly we weren't sure how much work there is involved in getting our
own hand written HTTP client to use an SSL solution. My first step was to
try and get libcurl building on CellOS (PS3) and then get OpenSSL (or some
other SSL solution) working on CellOS and attempt to get it hooked into
libcurl.

I'm not sure where we'll go from here honestly we still may try
incorporating our own in house SSL solution (one exist we just haven't
evaluated it yet) with our own hand written HTTP client simply because of
the cross compiling abilities that our own libraries have, not to mention
that our library sizes are considerably smaller than libcurl and OpenSSL.

But basically we aren't triyng to verify that our server is who is says it
is as much as we are trying to have our servers trust that our clients are
who they say they are to prevent "replay" or "man in the middle attacks".

Hope this helps and thanks for the response. :)

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

                                                                           
             Brian Dessent
             <brian_at_dessent.ne
             t> To
             Sent by: libcurl development
             curl-library-boun <curl-library_at_cool.haxx.se>
             ces_at_cool.haxx.se cc
                                                                           
                                                                   Subject
             11/24/2008 05:41 Re: Unknown SSL protocol error in
             PM connection
                                                                           
                                                                           
             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>
                                                                           
                                                                           

Jeff_Curley_at_playstation.sony.com wrote:

> --trace-ascii -k --cacert /app_home/mycert.pem --url
> https://www.fortify.net/sslcheck.html
> [...]
> == Info: SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
> failed
> [...]
> so exactly what do I need to do to test this? This is definitely
something
> I'll have to post at the OpenSSL forums, but I was hoping (with my
> ignorance of SSL) someone might be able to give me some pointers without
me
> having to post to the OpenSSL people asking something completely
ignorant.

I think you are misunderstanding what is being verified. The thing that
you pass with --cacert should be a bundle of CA certificates to verify
the remote site. Thus, www.fortify.net presents your end with its
certificate and libcurl uses the thing provided by --cacert to verify
that www.fortify.net is who they say they are according to some
well-known certificate authority (CA) who signed their cert. If you
don't have that well-known authority's certificate (in this case
Godaddy) in your CA bundle, then you can't verify that www.fortify.net
is who they say they are.

It seems like you have generated a self-signed certificate and passed
that as --cacert. That doesn't make any sense. A self-signed
certificate can do nothing to verify the certificate that
www.fortify.net is presenting, which is all that curl is trying to do.
(Also, passing -k and --cacert both at the same time makes no sense
either, they are saying opposite things.)

What is it exactly that you are trying to achieve?

Do you want to access public https: sites and verify their certificates
to know with certainty that they are who they say they are? Then you
need to use a bundle containing root certs of all the well-known and
trusted public CAs, such as what comes with your browser (or from
<http://curl.haxx.se/docs/caextract.html>).

Do you want to set up your own https: site, with a fake snake oil
self-signed cert for testing? In that case, you need to generate your
own snake oil CA, then generate and sign your server's cert with that
CA's cert, then install the resulting cert on the server, and then hit
that server's https: url with curl, passing your CA's cert to curl with
--cacert so it can use it to verify the cert that your server presents.
The commands to do all these things are a little complicated but they're
all covered in the openssl documentation.

Brian
Received on 2008-11-25