cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Verifying self signed certificates

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Sat, 21 Jan 2012 02:09:55 -0500

On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <shivam.unleashed_at_gmail.com>wrote:

> Hi All,
> I need to verify the server certificate for a server that sends a self
> signed certificate. I am using the curl command line tool.
> I read http://curl.haxx.se/mail/archive-2011-02/0049.html in which
> Daniel says there is no way we can do it over command line (or so I
> inferred).
>
> Can someone tell me a way I can verify this certificate. As mentioned in
>
> http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ , I
> added the PEM key to my CA cert store, but even that doesn't work for me.
>
> I reckon the problem is that I need to add the CA certificate to the
> certificate store (or for --cacert option) and not the Server Certificate.
> For self signed certificate, there is no CA - does that mean that the
> Certificate itself can be deemed as the CA certificate ?
>

I have a server at home that uses a certificate signed by my own internal
CA, which has its own self-signed certificate. I just tried accessing the
server with curl:

curl -v https://server.domain.com/

and got back

* Peer certificate cannot be authenticated with known CA certificates

Then I went to the server, pulled its CA cert and saved it locally and
tried again:

curl -v --cacert ca.pem https://server.domain.com/

and it validated OK, so curl can definitely handle a self-signed CA.
Actually, if you follow the CA chain from any server cert you'll find a
self-signed certificate from Verisign, Thawte, or whomever. So, if your
server certificate is self-signed you ought to be able to save a copy and
use it with the --cacert flag.

As I read Daniel's email that you referenced, what he's saying is that he
doesn't know a convenient way to pull the server's CA cert rather than the
server's own cert4l. I think this may do it:

openssl s_client -showcerts -connect server.com:443 > certs.pem

You can then use certs.pem in my previous curl command line.

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-21

This message: [ Message body ]
Next message: abhishek Kalapatapu: "Regarding Segmentation error when receiving data greater than 1000 bytes"
Previous message: Wang, Brandon: "RE: The tool, curl, can not work with protocol ftp with an IPv6 Link-Local address"
In reply to: Shivam Patel: "Verifying self signed certificates"
Next in thread: Shivam Patel: "Re: Verifying self signed certificates"
Reply: Shivam Patel: "Re: Verifying self signed certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]