Benjamin_Loison/curl
1
0
Code Issues 4 Packages Projects Wiki

Enforce HTTPS public key used #3

New Issue
Open
opened 2024-10-12 06:53:31 +02:00 by Benjamin_Loison · 14 comments
Benjamin_Loison commented 2024-10-12 06:53:31 +02:00
Owner
Copy Link

Related to Benjamin_Loison/HTTPS/issues/2.

Related to [Benjamin_Loison/HTTPS/issues/2](https://codeberg.org/Benjamin_Loison/HTTPS/issues/2).
Benjamin_Loison commented 2024-10-13 22:18:30 +02:00
Author
Owner
Copy Link

The Ask Ubuntu answer 201923 may help.

[The Ask Ubuntu answer 201923](https://askubuntu.com/a/201923) may help.
Benjamin_Loison commented 2024-10-14 00:04:38 +02:00
Author
Owner
Copy Link
curl https://localhost
Output: 
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Benjamin_Loison commented 2024-10-14 00:15:01 +02:00
Author
Owner
Copy Link
curl https://localhost
Output: 
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Benjamin_Loison commented 2024-10-14 00:34:18 +02:00
Author
Owner
Copy Link
curl --cacert localhost.pem https://localhost

works fine.

```bash curl --cacert localhost.pem https://localhost ``` works fine.
Benjamin_Loison commented 2024-10-14 01:07:09 +02:00
Author
Owner
Copy Link
IPV4_ADDRESS=XXX.XXX.XXX.XXX
curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS
Output: 
curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

with default certificate.

```bash IPV4_ADDRESS=XXX.XXX.XXX.XXX curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details> with default certificate.
Benjamin_Loison commented 2024-10-14 01:12:14 +02:00
Author
Owner
Copy Link
curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX

works fine.

```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` works fine.
Benjamin_Loison commented 2024-11-28 12:32:16 +01:00
Author
Owner
Copy Link

Firefox > Connection not secure > More information > View Certificate > Miscellaneous > Download > PEM (cert).

curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX
Output: 
curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Firefox > *Connection not secure* > *More information* > *View Certificate* > *Miscellaneous* > *Download* > *PEM (cert)*. ```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>
Benjamin_Loison commented 2024-11-28 12:33:57 +01:00
Author
Owner
Copy Link

DuckDuckGo and Google search "curl: (60) SSL: certificate subject name '*' does not match target host name" and "SSL: certificate subject name '*' does not match target host name".

DuckDuckGo and Google search `"curl: (60) SSL: certificate subject name '*' does not match target host name"` and `"SSL: certificate subject name '*' does not match target host name"`.
Benjamin_Loison commented 2024-11-28 12:43:47 +01:00
Author
Owner
Copy Link
curl --help | grep -iE 'cert|subject|name|target|host'
Output: 
 -O, --remote-name          Write output to a file named as the remote file
 -A, --user-agent <name>    Send User-Agent <name> to server
```bash curl --help | grep -iE 'cert|subject|name|target|host' ``` <details> <summary>Output:</summary> ``` -O, --remote-name Write output to a file named as the remote file -A, --user-agent <name> Send User-Agent <name> to server ``` </details>
Benjamin_Loison commented 2024-11-28 12:44:58 +01:00
Author
Owner
Copy Link
man curl | grep -iE 'cert|subject'

already returns many results.

```bash man curl | grep -iE 'cert|subject' ``` already returns many results.
Benjamin_Loison commented 2024-11-28 12:45:27 +01:00
Author
Owner
Copy Link
man curl
Output: 
       --cacert <file>
              (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates.
              The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is  typi‐
              cally used to alter that default file.

              curl  recognizes  the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA
              cert bundle. This option overrides that variable.

              The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐
              tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.

              (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward  compatibility
              with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system
              and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

              (Schannel  only)  This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported
              for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of  root  certificates
              (the default for Schannel).

              If --cacert is provided several times, the last set value is used.

              Example:
               curl --cacert CA-file.txt https://example.com

              See also --capath and -k, --insecure.
```bash man curl ``` <details> <summary>Output:</summary> ``` --cacert <file> (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typi‐ cally used to alter that default file. curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable. The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐ tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH. (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain. (Schannel only) This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of root certificates (the default for Schannel). If --cacert is provided several times, the last set value is used. Example: curl --cacert CA-file.txt https://example.com See also --capath and -k, --insecure. ``` </details>
Benjamin_Loison commented 2024-12-02 21:56:24 +01:00
Author
Owner
Copy Link
import requests

IPV4_ADDRESS = 'XXX.XXX.XXX.XXX'
requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem')
Output: 
Traceback (most recent call last):
  File "<tmp 3>", line 4, in <module>
    requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem')
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)")))
```python import requests IPV4_ADDRESS = 'XXX.XXX.XXX.XXX' requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem') ``` <details> <summary>Output:</summary> ``` Traceback (most recent call last): File "<tmp 3>", line 4, in <module> requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem') File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get return request("get", url, params=params, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request return session.request(method=method, url=url, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)"))) ``` </details>
Benjamin_Loison commented 2024-12-03 13:28:31 +01:00
Author
Owner
Copy Link

Maybe using --cacert and -k is more secure than just -k.

Could try experimentally.

Related to Benjamin_Loison/requests/issues/3#issuecomment-2492123.

Maybe using `--cacert` and `-k` is more secure than just `-k`. Could try experimentally. Related to [Benjamin_Loison/requests/issues/3#issuecomment-2492123](https://codeberg.org/Benjamin_Loison/requests/issues/3#issuecomment-2492123).
👍 1
Benjamin_Loison commented 2024-12-06 17:30:39 +01:00
Author
Owner
Copy Link

Related to Benjamin_Loison/git/issues/93.

Related to [Benjamin_Loison/git/issues/93](https://codeberg.org/Benjamin_Loison/git/issues/93).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Loison
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/curl#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?