Ralph Mitchell | 1 Nov 02:13 2011
Picon

Re: alert certificate expired

On Mon, Oct 31, 2011 at 6:16 PM, Steven Shourds <srs <at> perfectionsoftware.com> wrote:
On Mon, Oct 31, 2011 at 05:20:30PM -0400, Steven Shourds wrote:
> [Steve Shourds] yes, we have been looking for an expired certificate, but
> cannot find any expired certificates.
>
> So what command would I use with the -v option? And on what certificate?
> Thanks...

It's a curl option:

$ curl -I -v https://www.google.com
* About to connect() to www.google.com port 443 (#0)
*   Trying 173.194.33.18... connected
* Connected to www.google.com (173.194.33.18) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
 CApath: /etc/ssl/certs
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSL connection using RC4-SHA
 * Server certificate:
 *        subject: C=US; ST=California; L=Mountain View; O=Google Inc;
CN=www.google.com
 *        start date: 2009-12-18 00:00:00 GMT
 *        expire date: 2011-12-18 23:59:59 GMT
 *        common name: www.google.com (matched)
 *        issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA
 *        SSL certificate verify ok.

Expect to see a new Google certificate within the next 48 days.

>>> Dan

[Steve Shourds]
[Steve Shourds] Here is the output. I still don't get what the problem is?
C:\TECH\curl>curl -I -v https://omsjms.asp.dupont.com/Comergent/jmsorders
--insecure


How do you normally connect to that site??   Do you have a client certificate for authenticating to the server??

Ralph Mitchell
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Dan Fandrich | 1 Nov 03:25 2011

Re: alert certificate expired

On Mon, Oct 31, 2011 at 06:16:55PM -0400, Steven Shourds wrote:
> [Steve Shourds] Here is the output. I still don't get what the problem is?
> C:\TECH\curl>curl -I -v https://omsjms.asp.dupont.com/Comergent/jmsorders
> --insecure
> * About to connect() to omsjms.asp.dupont.com port 443 (#0)
> *   Trying 52.124.17.140... connected
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server key exchange (12):
> * SSLv3, TLS handshake, Request CERT (13):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using DHE-RSA-AES256-SHA
> * Server certificate:
> *        subject: serialNumber=Gj5XnCfnoH6SzZfJXkP4vACh3vr23qrm; C=US;
> O=omsjms.
> asp.dupont.com; OU=GT23791432; OU=See www.geotrust.com/resources/cps (c)10;
> OU=D
> omain Control Validated - QuickSSL(R) Premium; CN=omsjms.asp.dupont.com
> *        start date: 2010-09-13 18:23:54 GMT
> *        expire date: 2011-11-15 22:33:27 GMT
> *        subjectAltName: omsjms.asp.dupont.com matched
> *        issuer: C=US; O=GeoTrust Inc.; OU=Domain Validated SSL; CN=GeoTrust
> DV
> SSL CA
> *        SSL certificate verify result: unable to get local issuer
> certificate (

Here's the problem.

> 20), continuing anyway.
> > HEAD /Comergent/jmsorders HTTP/1.1
> > User-Agent: curl/7.22.0 (i386-pc-win32) libcurl/7.22.0 OpenSSL/0.9.8r
> zlib/1.2
> .5
> > Host: omsjms.asp.dupont.com
> > Accept: */*

I see you're running this on Windows. That platform has no certificate bundle
installed by default that is usable by curl. Have you installed one yourself?
http://curl.haxx.se/docs/sslcerts.html

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Steven Shourds | 1 Nov 12:29 2011

RE: alert certificate expired

 

On Mon, Oct 31, 2011 at 6:16 PM, Steven Shourds <srs <at> perfectionsoftware.com> wrote:

On Mon, Oct 31, 2011 at 05:20:30PM -0400, Steven Shourds wrote:
> [Steve Shourds] yes, we have been looking for an expired certificate, but
> cannot find any expired certificates.
>

[Steve Shourds]
[Steve Shourds] Here is the output. I still don't get what the problem is?
C:\TECH\curl>curl -I -v https://omsjms.asp.dupont.com/Comergent/jmsorders
--insecure

 

 

How do you normally connect to that site??   Do you have a client certificate for authenticating to the server??

 

Ralph Mitchell

[Steve Shourds] Yes.

 

[Steve Shourds] C:\TECH\curl>curl -v https://omsjms.asp.dupont.com/Comergent/jmsorders -E C:\Dupont\Certs\NewVerCert20090528\Ver2009.pem

 

* About to connect() to omsjms.asp.dupont.com port 443 (#0)

*   Trying 52.124.17.140... connected

* successfully set certificate verify locations:

*   CAfile: C:\TECH\curl\curl-ca-bundle.crt

  CApath: none

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server key exchange (12):

* SSLv3, TLS handshake, Request CERT (13):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS handshake, CERT verify (15):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS alert, Server hello (2):

* error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired

* Closing connection #0

curl: (35) error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired

 

 

But my client certificate is not expired. It is good until 6/19/2012. Is there a command I can run on my client certificate to validate all that?

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Seamus Abshere | 2 Nov 04:12 2011
Picon

FTPS upload to SecureTransport (SITE AUTH ok, but client certificates not working?)

hi all,

curl doesn't seem to be sending my client certificates:

myuser <at> myserver ~ $ curl -v --ftp-ssl --cert mycert.crt --key mykey.pem --ftp-alternative-to-user "SITE AUTH" -T helloworld.txt ftp://ftp.example.com:9876/upload/ * About to connect() to ftp.example.com port 9876 (#0) * Trying 1.2.3.4... connected * Connected to ftp.example.com (1.2.3.4) port 9876 (#0) < 220 msn1 FTP server (SecureTransport 4.5.1) ready. > AUTH SSL < 334 SSLv23/TLSv1 * found 142 certificates in /etc/ssl/certs/ca-certificates.crt > USER anonymous < 331 Password required for anonymous. > PASS ftp <at> example.com < 530 Login incorrect. > SITE AUTH < 530 No client certificate presented. * Access denied: 530 * Closing connection #0 curl: (67) Access denied: 530

I put a more complete version of my question on ServerFault.

Thanks,
Seamus

-- Seamus Abshere 123 N Blount St Apt 403 Madison, WI 53703 1 (201) 566-0130
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
1983-01-06 | 3 Nov 10:29 2011
Picon
Picon

Confusing options with --negotiate

Hi folks,

I have finally managed to compile cURL 7.22 with Negotiate support but spent some stupid hours to figure out
that I need to pass '-u :' as fake option.
What is the reason behind this? This is quite confusing. Negotiate should work transparently without that
fake switch.

Thanks,

Mike
--

-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!		
Jetzt informieren: http://www.gmx.net/de/go/freephone
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Daniel Stenberg | 3 Nov 10:32 2011
Picon

Re: Confusing options with --negotiate

On Thu, 3 Nov 2011, 1983-01-06 <at> gmx.net wrote:

> I have finally managed to compile cURL 7.22 with Negotiate support but spent 
> some stupid hours to figure out that I need to pass '-u :' as fake option. 
> What is the reason behind this? This is quite confusing. Negotiate should 
> work transparently without that fake switch.

KNOWN_BUGS #10:

10. To get HTTP Negotiate authentication to work fine, you need to provide a
   (fake) user name (this concerns both curl and the lib) because the code
   wrongly only considers authentication if there's a user name provided.
   http://curl.haxx.se/bug/view.cgi?id=1004841. How?
   http://curl.haxx.se/mail/lib-2004-08/0182.html

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

1983-01-06 | 3 Nov 10:53 2011
Picon
Picon

Re: Confusing options with --negotiate

> On Thu, 3 Nov 2011, 1983-01-06 <at> gmx.net wrote:
> 
> > I have finally managed to compile cURL 7.22 with Negotiate support but
> spent 
> > some stupid hours to figure out that I need to pass '-u :' as fake
> option. 
> > What is the reason behind this? This is quite confusing. Negotiate
> should 
> > work transparently without that fake switch.
> 
> KNOWN_BUGS #10:
> 
> 10. To get HTTP Negotiate authentication to work fine, you need to provide
> a
>    (fake) user name (this concerns both curl and the lib) because the code
>    wrongly only considers authentication if there's a user name provided.
>    http://curl.haxx.se/bug/view.cgi?id=1004841. How?
>    http://curl.haxx.se/mail/lib-2004-08/0182.html

That was quick! Thanks for the enlightment. This is a long standing bug. I assume that there is no timeframe
for this?! I'd be more than happy to test a patch in our environment.

Quoting your mail:
"Since I have no server or tests that use HTTP Negotiate I need some input from
somone that do: how do we know if we have Negotiate-credentials enough to use
the Negotiate authentication (as an alternative for checking for a set user
name)?"

You could take on the same approach libneon does. It simply assumes that the credential cache is available
and tries to negotiate and fail silently if there is none. Their source is pretty simple to understand.
Have a look at ne_auth.c line 505 [1] and following.

Mike

[1] http://svn.webdav.org/repos/projects/neon/tags/0.29.6/src/ne_auth.c
--

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Daniel Stenberg | 3 Nov 11:03 2011
Picon

Re: Confusing options with --negotiate

On Thu, 3 Nov 2011, 1983-01-06 <at> gmx.net wrote:

> That was quick! Thanks for the enlightment. This is a long standing bug. I 
> assume that there is no timeframe for this?!

I don't have any plans to work on this in the near future at least, no.

> You could take on the same approach libneon does. It simply assumes that the 
> credential cache is available and tries to negotiate and fail silently if 
> there is none.

Possibly, thanks for pointing out how the neon guys do it. I haven't really 
considered all the consequences of such an action.

There's nothing stopping anyone else to grab the issue and work on a fix!

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

1983-01-06 | 3 Nov 11:17 2011
Picon
Picon

Re: Confusing options with --negotiate

> On Thu, 3 Nov 2011, 1983-01-06 <at> gmx.net wrote:
>
> > You could take on the same approach libneon does. It simply assumes that
> the 
> > credential cache is available and tries to negotiate and fail silently
> if 
> > there is none.
> 
> Possibly, thanks for pointing out how the neon guys do it. I haven't
> really 
> considered all the consequences of such an action.
> 
> There's nothing stopping anyone else to grab the issue and work on a fix!

I might take this on in mid-future as soon as I gain some C proficiency. ;-)

Thanks anyway!
--

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Daniel Stenberg | 3 Nov 22:54 2011
Picon

Re: FTPS upload to SecureTransport (SITE AUTH ok, but client certificates not working?)

On Tue, 1 Nov 2011, Seamus Abshere wrote:

> curl doesn't seem to be sending my client certificates:

What curl version and what SSL library is this?

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html


Gmane