It only takes a minute to sign up. I am trying to make a curl request to one of our local development servers running a dev site with a self-signed SSL cert. I am using curl from the command line. I saw some blog posts mentioning that you can add to the list of certificates or specify a specific self signed certificate as valid, but is there a catch-all way of saying "don't verify" the ssl cert - like the --no-check-certificate that wget has?
This option allows curl to proceed and operate even for server connections otherwise considered insecure. The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.
The reference mentioned in that manpage entry describes some of the specific behaviors of -k. These behaviors can be observed with curl requests to test pages from BadSSL. Advantage of using above solution is that it works for all curl commands, but it is not recommended since it may introduce MITM attacks by connecting to insecure and untrusted hosts. You are using a self-signed cert. The other answers are answering the question based on the wget comparable. However the true ask is how do I maintain a trusted connection with a self-signed cert using curl.
Based on many comments security is the top concern in any one of these answers, and the best answer would be to trust the self-signed cert and leave curl s security checks intact.
Sign up to join this community. The best answers are voted up and rise to the top. Home Questions Tags Users Unanswered. Does curl have a --no-check-certificate option like wget?
Ask Question. Asked 7 years, 3 months ago. Active 3 months ago.
Viewed k times.I recently found myself working with a Tomcat-based web application that required its clients to present a certificate to authenticate themselves. Being Tomcat, the whole thing was put together using Java of course; if you wanted to make a call to the server, you had to include a reference to a Java Key Store. Well, as it turns out, you can extract the key and certificate information from a Java Key Store for use by another client application, but the process is a bit involved, so I thought I'd document it here in case anybody else finds themselves in a similar situation.
To motivate this example, I'll walk through the setup of a simple Java and JKS-based client and server that perform mutual SSL authentication — although I originally ran into this in the context of a Tomcat server, I think this is easier to see without all the extra Tomcat stuff. If you know what keystores are and already have something working, and you just want to see how to extract a certificate for use by CURL, feel free to skip down to the extraction part.
Listing 1, below, is the simplest server application I can think of; it accepts a connection on port and echoes back every character it receives. It doesn't deal properly with multiple concurrent clients, or handle errors, or make itself configurable, or offer and security or authentication, but since the topic of this post is simply connectivity, it'll do well enough.
If you compile and run this, it will sit and wait for connections on port You can test it without a special client by just using the telnet utility as shown in example Now, of course, this connection is plaintext.
We want to encrypt it; that's what SSL is for. The code changes, shown in listing 2, are relatively straightforward, requiring only a change to the server socket constructor:. Now, if you try to connect and test using telnet, you'll be kicked out as soon as you try to type a character, and the server will respond with an error message as shown in example The server was expecting an SSL handshake, but didn't get one; it aborts the connection immediately.
Since it throws an uncaught exception in this case, the whole server application terminates I told you it didn't handle errors well. What the Java runtime is trying to tell you, in a very oblique way, is that the server is misconfigured; in particular, it's not presenting a certificate to the client. The server has to identify itself — this is how SSL prevents man in the middle attacks. You can set up a test server by create a self-signed certificate using Java's keytool as shown in example This creates a new file named "server.
You can verify this from the command line as shown in example 5.
Subscribe to RSS
If you're following along, the answers to the prompts don't matter, except for the answer to the first question, "what is your first and last name? Now, to instruct the server to present this certificate on connection, you provide the path to the keystore and the password on the command line:. This goes a little better when you run the client — at least, you'll get a different error message as shown in example What the client is saying here is that it found the certificate, but it didn't trust it, since it wasn't signed by a trusted certificate authority.
That shouldn't come as a surprise, since the certificate was self-signed — clearly not a certificate authority that the client could have trusted.In a recent project, I was assigned to setup monitoring of a set of web services. This article can be of use when you simply want to call a web service from the command line or when you are in a headless environment. When I started I had a pkcs12 file which contained a certificate, a private key, and CA certificate for authentication, the endpoint address of the web service, and an xml file that should be used as input data to the web service.
Curl does not support a combined file with keys and certificates so I had to extract and convert this data to pem format which is a format that works with curl. Outputs CA certificates from my. Outputs client certificates from my. Outputs private keys from my. For more information about the commands above check the pkcs12 man page. When I had my key and certificates in place in pem format I could start building my command to call the web services. I had my three pem files for authentication, then endpoint of the web service, and I had my request xml file to post to the web service.
To pass data to Curl I simply used the —-data parameter and since I had a file with my data I prepended to the file name.
I formed my initial Curl command like:. I tried to execute the command just for fun but to no surprise it did not work. Curl complained that it tried to verify the server certificate using a default bundle of ca certificates.
This was not what I wanted because I trusted the server certificate. To tell curl to not perform this verification I included the —k or -—insecure parameter in my call.
Of course, once again, Curl complained about bad certificate. Since I had my client certificate and the private key I combined the —-cert and -—key parameters that formed the following command:. I added the header and formed my final command:. This is because the —k parameter simply ignores the verification of the CA certificate. The final command now looked like:.
Now, when we have a proper Curl call to a web service, we can easily use it together with Nagios for scheduled monitoring. How to configure Nagios is however out of scope of this article. This article has shown that it can useful to use Curl to call web services under some circumstances. Especially in a closed, headless environment where there is no access to graphical tools.This is where the requestor or client must prove their identity to the server by supplying a valid, known SSL certificate.
The server must also provide a valid certificate to the client identifying itself. In the most simple form we pass the SSL certificate and private key via arguments on the command line. If there is a password associated with the cert you can append it to the cert name separated by a colon or else the curl command will prompt you for the password once the command is run.
The SSL cert and key can also be concatenated into a single file and passed via the —cert argument and skipping —key. There are a few solutions:. In this command we are mounting our local cert and key files inside the container so we can access them with the command.
You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email.
November 21, November 21, Kevin Duane. There are a few solutions: Use Homebrew to install a more recent version of curl. Use Docker to run latest curl in a container.
This was a great example of how docker can be used to eliminate platform dependencies. Share this: Twitter Facebook. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. Skip to content. Dismiss Join GitHub today GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. Sign up. Pure java CURL implementation. Java Branch: master. Find file. Sign in Sign up.
Go back. Launching Xcode If nothing happens, download Xcode and try again.How SSL certificate works?
Latest commit. Latest commit aaec Aug 2, Features Based on the standard JRE, the source compatibility level is 1. The code is super compact one java file with less than lineswithout any external dependencies, can be easily reused at source level.
Easy to use, fully compatible with the most common switches of CURL tool, can be directly used as a command line tool. Use ThreadLocal to solve the problem that cookies can only be stored globally in standard Java, cookies are maintained isolated for each thread. The cookie-store in the thread can be serialized and saved, which is convenient for setting up a cookie pool.Reading your article is such a privilege.
It does inspire me, I hope that you can share more positive thoughts. Visit my site too. The link is posted below. Hi, thank you for your article. Just one thing. When you state the creation of each certificate, can you please state on which computer each certificate must be created. They can be created on any computer and placed in respective locations of server and client. In my POC, both server and client were on same computer and I generated them on same machine.
Post a Comment. Two-way ssl using cURL. April 29, To es tablish a tw o-way ssl communi cat ion between cURL and a apache tomcat web application, generate a s elf-signed certificate for server and client machine cURL is running on. Self-Signed certificate for client: 1.
Create a private key for client. Create an openSSL self-signed certificate for the client using the private key. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.
Tomcat currently operates only on JKS format keystores. It asks for the export password, and it is recommended to provide a password.
Now convert serverkeystore. Keytool asks you for a new password keystore password for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier. As there is no C erti ficate Authority in our case of self-signed certificates, we add the server's certi ficate to openSSL's certificate store. This is e x plained later. For now generate a. Now this servercert. Using cURL for two-wa y ssl communication.
Open a te rminal and follow the following commands. Adding se rver's certificate to openSSL store. Identify openSSL installation di rectory using the command. Change to that directory. This folder contains a 'certs' folder, move to that directory.
List the d irectory contains using 'ls -la'.
Move to that direct ory. Copy the server's. Add server. Now, the server's certificate is added to openSSL certificates.When a user authenticates by using a client certificate, the certificate is used in place of a user name and password.
If you are using a basic user registry, in the Common Name field, enter the user name of the user that the certificate is for. This directory should already contain a key. If a trust. The mqwebuser. This extra authentication is provided by the ibm-mq-rest-csrf-token HTTP header.
Note that you cannot use a cached version of the content of the cookie, because the content of the cookie can change. You must use the latest value of the cookie for each request.
For Version 9. The header needs to be set in the request, but its value is not checked. Before you begin. The procedure assumes the following information: That your mqwebuser.
SSL Certificate Verification
You are a privileged user. For developer convenience, the steps detail how to create and use self-signed certificates. However, for production, use certificates that are obtained from a certificate authority. Select a location to save the keystore, and enter an appropriate name in the File Name field. For example, user. Create a self-signed certificate: Click New Self-Signed. Enter user in the Key Label field.
If you are using a basic user registry, enter the name of a user from your user registry in the Common Name field. For example, mqadmin. Click OK. Obtain a certificate from a certificate authority. The CA certificate must include the appropriate user name within the common name CN of the distinguished name DN field: Request a new certificate. From the Create menu, click New Certificate Request.
In the Key Label field, enter the certificate label. Type or select values for the remaining fields, as applicable. Choose where to save the certificate request, and the filename for the certificate request, then click OK.
Send the certificate request file to a certificate authority CA. Select the PKCS 12 keystore that holds the client certificate. Select JKS from the Key database type list. Enter trust. Set a password when prompted. Use the client certificate to authenticate the request.
Setting the value of the ibm-mq-csrf-token header to the value of the CSRF token cookie, csrfTokenthat is returned by the request. Important: In the example, not all cURL implementations support self signed certificates, so you must use a curl that does.