Enforce HTTPS public key used #3

Open
opened 2024-10-12 06:53:31 +02:00 by Benjamin_Loison · 14 comments
Related to [Benjamin_Loison/HTTPS/issues/2](https://codeberg.org/Benjamin_Loison/HTTPS/issues/2).
Author
Owner
[The Ask Ubuntu answer 201923](https://askubuntu.com/a/201923) may help.
Author
Owner
curl https://localhost
Output:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Author
Owner
curl https://localhost
Output:
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Author
Owner
curl --cacert localhost.pem https://localhost

works fine.

```bash curl --cacert localhost.pem https://localhost ``` works fine.
Author
Owner
IPV4_ADDRESS=XXX.XXX.XXX.XXX
curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS
Output:
curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

with default certificate.

```bash IPV4_ADDRESS=XXX.XXX.XXX.XXX curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details> with default certificate.
Author
Owner
curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX

works fine.

```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` works fine.
Author
Owner

Firefox > Connection not secure > More information > View Certificate > Miscellaneous > Download > PEM (cert).

curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX
Output:
curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Firefox > *Connection not secure* > *More information* > *View Certificate* > *Miscellaneous* > *Download* > *PEM (cert)*. ```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Author
Owner

DuckDuckGo and Google search "curl: (60) SSL: certificate subject name '*' does not match target host name" and "SSL: certificate subject name '*' does not match target host name".

DuckDuckGo and Google search `"curl: (60) SSL: certificate subject name '*' does not match target host name"` and `"SSL: certificate subject name '*' does not match target host name"`.
Author
Owner
curl --help | grep -iE 'cert|subject|name|target|host'
Output:
 -O, --remote-name          Write output to a file named as the remote file
 -A, --user-agent <name>    Send User-Agent <name> to server
```bash curl --help | grep -iE 'cert|subject|name|target|host' ``` <details> <summary>Output:</summary> ``` -O, --remote-name Write output to a file named as the remote file -A, --user-agent <name> Send User-Agent <name> to server ``` </details>
Author
Owner
man curl | grep -iE 'cert|subject'

already returns many results.

```bash man curl | grep -iE 'cert|subject' ``` already returns many results.
Author
Owner
man curl
Output:
       --cacert <file>
              (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates.
              The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is  typi‐
              cally used to alter that default file.

              curl  recognizes  the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA
              cert bundle. This option overrides that variable.

              The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐
              tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.

              (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward  compatibility
              with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system
              and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

              (Schannel  only)  This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported
              for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of  root  certificates
              (the default for Schannel).

              If --cacert is provided several times, the last set value is used.

              Example:
               curl --cacert CA-file.txt https://example.com

              See also --capath and -k, --insecure.
```bash man curl ``` <details> <summary>Output:</summary> ``` --cacert <file> (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typi‐ cally used to alter that default file. curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable. The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐ tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH. (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain. (Schannel only) This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of root certificates (the default for Schannel). If --cacert is provided several times, the last set value is used. Example: curl --cacert CA-file.txt https://example.com See also --capath and -k, --insecure. ``` </details>
Author
Owner
import requests

IPV4_ADDRESS = 'XXX.XXX.XXX.XXX'
requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem')
Output:
Traceback (most recent call last):
  File "<tmp 3>", line 4, in <module>
    requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem')
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)")))
```python import requests IPV4_ADDRESS = 'XXX.XXX.XXX.XXX' requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem') ``` <details> <summary>Output:</summary> ``` Traceback (most recent call last): File "<tmp 3>", line 4, in <module> requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem') File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get return request("get", url, params=params, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request return session.request(method=method, url=url, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)"))) ``` </details>
Author
Owner

Maybe using --cacert and -k is more secure than just -k.

Could try experimentally.

Related to Benjamin_Loison/requests/issues/3#issuecomment-2492123.

Maybe using `--cacert` and `-k` is more secure than just `-k`. Could try experimentally. Related to [Benjamin_Loison/requests/issues/3#issuecomment-2492123](https://codeberg.org/Benjamin_Loison/requests/issues/3#issuecomment-2492123).
Author
Owner
Related to [Benjamin_Loison/git/issues/93](https://codeberg.org/Benjamin_Loison/git/issues/93).
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/curl#3
No description provided.