2

I'm on Windows attempting to use cURL using SSL, but running into certificate issues that I absolutely cannot figure out.

For example, here is an example of what I'm trying to run.

$ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt"
* Adding handle: conn: 0x147ce88
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x147ce88) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.134.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

Attempting to use --cacert instead of --cert yields the following message -

* Adding handle: conn: 0x130cdf8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x130cdf8) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
*   Trying 192.168.135.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: c:\temp\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the
-k (or --insecure) option.

The curl-ca-bundle.crt I have is from here, which was update a few minutes ago. I ensured the file is not blocked by Windows.

For what it's worth, I'm behind a corporate proxy and firewall. I have read everything I could find on this issue and don't know what to do next. I do realize I can ignore SSL, but would like to avoid this at all costs.

self.
  • 1,612
  • 4
  • 18
  • 35
  • If you connect from the browser and check the server certificate. Is it the same as what you would get from another connection (from another network)? – Bruno Jul 25 '14 at 21:17
  • Google has their own CA. Download the [Google Internet Authority G2](https://pki.google.com/) and use it as the CA (you need to convert it from ASN.1/DER to PEM). There's no need to trust the CA zoo. If Steffen is correct, then you can verify the certifcate is bogus with `openssl s_client -connect google.com:443 -CAfile google-ca.pem`. *If* `s_client` does not finish with `Verify 0 (OK)`, then you are being attacked. – jww Jul 26 '14 at 18:28
  • @Bruno: I think you're onto something. Checking a valid SSL certificate from Chrome says it's being issued from one of our proxy servers. – self. Jul 30 '14 at 11:40
  • @user3238014 Although it's not directly related, it could be more or less the same cause as [this](http://stackoverflow.com/a/24940953/372643). – Bruno Jul 30 '14 at 11:42
  • @jww: Unfortunately, I'm on a Windows machine and running `openssl` either crashes or gives me a file errno:9. Neither of which I've been able to fix at this time. – self. Jul 30 '14 at 11:43
  • @Bruno: Very interesting answer of yours! I'll have to investigate that. – self. Jul 30 '14 at 11:44

1 Answers1

3

For what it's worth, I'm behind a corporate proxy and firewall. I have read everything I could find on this issue and don't know what to do next. I do realize I can ignore SSL, but would like to avoid this at all costs.

I would suggest the firewall does SSL interception, i.e. it works as a man-in-the-middle. To inspect encrypted connections it will split it into two encrypted connections, but of course it will not be able to sign the connection between browser and proxy with the original certificate. Thus it will create a new certificate, signed by a CA specific to the firewall. You need to add this CA to your CA bundle or the verification will fail.

For more details you might try to access the target site with a web browser and check the CA which signed the servers certificate or ask your system administrator for details of the SSL interception.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172