Menu
I have a remote Windows 7 server that is accessible only via HTTPS on port 768. The server is using a signed certificate from a CA listed in the local CentOS server.
Whenever I try to access the remote server via cURL using the following command, it errors out as follows:
[usr@serv certs]# curl -3 -v https://1.1.1.1:768/user/login * About to connect() to 1.1.1.1 port 768 (#0) * Trying 1.1.1.1... connected * Connected to 1.1.1.1 (1.1.1.1) port 768 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5961 * Closing connection #0 * SSL connect error curl: (35) SSL connect error (Note that the IP address has been hidden for security reasons).
I am running the following version of cURL:
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 It's worth noting that this is working on two other remote servers which are both running Windows XP rather than windows 7.
I have tried forcing cURL to use SSLv3 (using the -3 flag and the -SSLv3 flag) with no success.
I have just tested the same CURL command on a Raspberry Pi running Raspbian and have been able to connect successfully. I therefore believe it may be an issue with the version of cURL in use on the CentOS server. The raspberry pi is running the following version:
curl 7.26.0 (arm-unknown-linux-gnueabihf) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
665
The cURL error 35 can appear when the cURL function cannot connect to your website using SSL. Curl often uses a different set of certificates, shipped with PHP. There are several things that can cause this problem, in most cases updating both cURL and PHP to a newer version will resolve this issue.
An SSL certificate error occurs when a web browser can't verify the SSL certificate installed on a site. Rather than connect users to your website, the browser will display an error message, warning users that the site may be insecure.
Similarly, a curl error occurs when uploading files to the server. More accurately, the error is a representation of Failed sending data via a network. Here is the complete error message: ~~~ curl: (55) SSL read: error:00000000:lib(0):func(0):reason(0), errno 10054.
curl with NSS read the Root CA certificates by default from "/etc/pki/tls/certs/ca-bundle.crt" in the PEM format.
* Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt You can specify another (your) CA certificate (or bundle on the NSS Shared DB) by curl's option --cacert with the PEM file containing the CA certificate(s).
If you don't specify the certificate manually with --cacert option, NSS tries to select the right one from the NSS database (located at /etc/pki/nssdb) automatically. You can specify it's nickname by curl's option --cert, this should be sufficient if the key is embedded in the cert, if not you can specify the PEM file with the certificate key using the --key. If the key is protected by a pass-phrase, you can give it by curl's option --pass so you can import your certificate to the NSS shared DB using the nss-tools (yum install nss-tools)
Adding a certificate (common command line)
certutil -d sql:/etc/pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename> About TRUSTARGS
Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.
There are three available trust categories for each certificate, expressed in this order: " SSL , email , object signing ". In each category position use zero or more of the following attribute codes:
- p prohibited (explicitly distrusted)
- P Trusted peer
- c Valid CA
- T Trusted CA to issue client certificates (implies c)
- C Trusted CA to issue server certificates (SSL only) (implies c)
- u Certificate can be used for authentication or signing
- w Send warning (use with other attributes to include a warning when the certificate is used in that context)
The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
-t "TCu,Cu,Tuw"
Trusting a root CA certificate for issuing SSL server certificates
certutil -d sql:/etc/pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename> Importing an intermediate CA certificate
certutil -d sql:/etc/pki/nssdb -A -t ",," -n <certificate nickname> -i <certificate filename> Trusting a self-signed server certificate
certutil -d sql:/etc/pki/nssdb -A -t "P,," -n <certificate nickname> -i <certificate filename> Adding a personal certificate and private key for SSL client authentication
pk12util -d sql:/etc/pki/nssdb -i PKCS12_file_with_your_cert.p12 Listing all the certificates stored into NSS DB
certutil -d sql:/etc/pki/nssdb -L Listing details of a certificate
certutil -d sql:/etc/pki/nssdb -L -n <certificate nickname> Deleting a certificate
certutil -d sql:/etc/pki/nssdb -D -n <certificate nickname> Hope this helps.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
