cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: creating a PEM file

From: Ralph Mitchell <rmitchell_at_eds.com>
Date: Fri, 14 Feb 2003 07:17:14 -0600

OK, my understanding of how this works is:

The remote site has a certificate, signed by somebody. You may or may not
trust the signer. The signer's certificate is signed by someone else, and
you may or may not trust them. And so on up the chain of certificates,
until you finally reach 1) the top; 2) someone you trust.

If you get to the top of the chain and haven't found someone you trust, you
bail out, fast...

If you find someone you trust in the chain, then you believe you can trust
the other signers, all the way down to the remote server.

OK, so how do you know who you trust? That's where the ca-bundle.crt comes
in. If you can find that file someplace, it will contain a bunch of
certificates that from the very top of the chain of trust. You'll find
certs from Verisign, Thawte, and others.

So, when I tried the connection, I got this:

* Establish HTTP proxy tunnel to securesms.co.za:443
* Proxy replied to CONNECT request
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=ZA/ST=Western Cape/L=Cape Town/O=ITouch South Africa
Pty Ltd/OU=iTouch SA/CN=securesms.co.za
* start date: 2003-01-21 11:43:57 GMT
* expire date: 2005-01-10 12:17:30 GMT
* common name: securesms.co.za (matched)
* issuer: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
CA/Email=server-certs_at_thawte.com

In other words, Thawte issued the certificate to SecureSMS, and because I
have a certificate in my ca-bundle.crt, I can validate that I am indeed
talking to SecureSMS, therefore I trust them.

Or something like that...

So, in a nutshell, you don't have to download the certificate from the
remote server, you just have to find the ca-bundle.crt that validates the
top end of the various chains of signers. Look at it this way - if you
downloaded the cert, how would you know that it came from the real remote
server, not from some man-in-the-middle? And you'd also have to download
certs from every single secure server you ever deal with...

Ralph

Johnny Vergeer wrote:

> Hi Ralph & Daniel
>
> Thanx for the feedback so far.
>
> Ralph, do I then somehow have to add the REMOTE Secure WebSite's
> Certificate to this "ca-bundle.crt" file? If yes, how?
>
> Daniel, I'm fairly certain that I'm saving the REMOTE site's Certificate
> (and not my OWN). Using MS IE6, at the secure Web page, I double click
> on the "lock icon". This brings up the "Certificate details dialog" box.
> Under the Details Tab, I can see that information listed, are those for
> the REMOTE site.
>
> From the Details Tab, I use the "Copy to File" button, and this brought
> up the "Certificate Export Wizard" as described in my original posting.
>
> I'm sure once we have this figured out, it will all seem real simple,
> but for now I'm still in the dark.
>
> Best Regards
> Johnny
>
> -----Original Message-----
> From: Ralph Mitchell [mailto:rmitchell_at_eds.com]
> Sent: 14 February 2003 01:54 PM
> To: curl-users_at_lists.sourceforge.net
> Subject: Re: creating a PEM file
>
> It's related to the ca-cert-bundle.crt either not being installed or not
> being
> found where curl expects it to be... I've got a Win98 laptop here with
> c:\curl-7.10.2-win32 and the cert file is stashed away under
> c:\curl-7.10.2-win32\lib. So, do a search for the ca-bundle.crt file
> and
> change your config file to match.
>
> On my laptop, this worked for me:
>
> --cacert c:\curl-7.10.2-win32\lib\ca-bundle.crt
>
> Your milage will vary due to the different release of curl you're using.
>
> Ralph Mitchell
>
> Daniel Stenberg wrote:
>
> > On Thu, 13 Feb 2003, Johnny Vergeer wrote:
> >
> > > Sorry if this has been covered before - I could not find details in
> the
> > > FAQ.
> >
> > Ah, no it isn't really clarified there and if you have any clever
> ideas of
> > how to do this after my reply, feel free to suggest!
> >
> > > I need to create a PEM file to "Ensure the identity of a remote
> computer"
> > > ...
> >
> > Not just "a PEM file". PEM is just a file format to use for
> certificates.
> > There are different certificates, and if YOU want to insure that the
> REMOTE
> > server is who it tells you it is, you need a CA cert to verify the
> server's
> > cert against.
> >
> > > Using MS IE 6.0, I used the "Certificate Export Wizard" to create a
> PKCS#7
> > > file from the Certificate in question. (Also tried the DER and
> Base-64
> > > X.509 types)
> >
> > This is YOUR private certificate that you use in connections, and the
> server
> > will use this to check that YOU are who you say you are. This cannot
> be used
> > to verify the server with.
> >
> > > * SSL: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > verify failed
> >
> > ... and that's why the connection fails, because your certficiate
> could not
> > be used to verify the server's.
> >
> > > Using the -k option allows me to connect to the site without any
> problem -
> > > but I guess that does defeat the object somewhat :-)
> >
> > Right, it makes you accept the connection to the server, unregarding
> of what
> > kind of man-in-the-middle attack that is going on.
> >
> > You need to get a CA cert for the server. I don't know how to proceed
> to do
> > this.
> >
> > (I'm not a SSL wizard, this is all information as I have perceived it,
> I may
> > be wrong in details or in general, but I don't think I am.)
> >
> > --
> > Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> > are you planning your Web Server Security? Click here to get a FREE
> > Thawte SSL guide and find the answers to all your SSL security
> issues.
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
Received on 2003-02-14