Start a new topic

SSL Certificates

curl won't connect to my server without a --insecure flag.  I installed a certificate, it seems to be working as expected for https:, but isn't working for sftp: access. 

Any idea where I went wrong?


Is "Verify return code: 21 (unable to verify the first certificate)" when test port 443 a cause for concern?


Output from: openssl s_client -showcerts -connect server.com:2222

CONNECTED(00000003)

140071504779168:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 289 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol : TLSv1.2

    Cipher : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1524497345

    Timeout : 300 (sec)

    Verify return code: 0 (ok)

---



Output from: openssl s_client -showcerts -connect server.com:443

CONNECTED(00000003)

depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = server.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = server.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=server.com

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

-----BEGIN CERTIFICATE-----

MIIG6jCCBdKgAwIBAgIRAN2uRh7n7p2+B8eJx/eJJeYwDQYJKoZIhvcNAQELBQAw

gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO

VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg

Q0EwHhcNMTgwNDIyMDAwMDAwWhcNMjAwNDIxMjM1OTU5WjBaMSEwHwYDVQQLExhE

b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMR8w

HQYDVQQDExZmczEwMS5rYXR5Y29tcHV0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEF

AAOCAQ8AMIIBCgKCAQEA6ae8ELrd8+epad1cGao9uhsldy0AuWBjQDxArzbDlf9T

SD16hX09EO2ypk/AqCnJPtdqnN/0+9deYRqcGg62tIYsdCGRI/ckt0RupvAP96FY

Rwuw7Q/g5xKMNSAnefhadrfirNvBzx5MveuXbQPTjPVA18RUr9KUgmIObjHGkdwR

H1BKgjWWAbH+A+4zMx30BMdVZeuLRrGUICJUx9VWm7o17CfPQHzM+jqqhz68yt21

9Nk0bUExa/RmH3qBM1vNpvtWbgB+gdJCBwQh6Bm3obbZDwRwICgQiaA1JsLnvvTP

42FDYqtSwuZW0svos5vM8Hu3Kbk002HLk2zGE/P6jwIDAQABo4IDcjCCA24wHwYD

VR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHjiLyBX7/B9

VflLt/jFZgR3z4RxMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud

JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEB

AgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BT

MAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2Nh

LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3Js

MIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2Rv

Y2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5j

cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA9BgNVHREE

NjA0ghZmczEwMS5rYXR5Y29tcHV0ZXIuY29tghp3d3cuZnMxMDEua2F0eWNvbXB1

dGVyLmNvbTCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA7ku9t3XOYLrhQmkf

q+GeZqMPfl+wctiDAMR7iXqo/csAAAFi7yexLwAABAMASDBGAiEAi1EdKNup78v0

H+4QRYDfpLUYe4Tp51e/K9cuGqqaOb0CIQDeOEbtkkZV1KOuPpLjP62nzbeVMksr

NJS7m5fkZa8NuQB3AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAAB

Yu8nsX8AAAQDAEgwRgIhAP37bmhN5+eNmBkbcf2tsXbtsU+wVKZf2qsim4i//rPF

AiEAjf2DkYhzwQiUDZpF9Pfeq7GtnEFrc4g46iBkrmeyl30AdQBVgdTCFpA2AUrq

C5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWLvJ7FLAAAEAwBGMEQCIExuGtfCv9fY

xS8gEHqs0Zw+GHudQdcg98L85fhHYfLYAiAPphwGD4qg59kuJ34mIuteVSIuHqvf

Vh5zNLwfMSV2WDANBgkqhkiG9w0BAQsFAAOCAQEALeqb6WJ1HIO7CX7OGdpxQC8L

VhuXQGmx5ahCCeS1xiSMwtqLAaMKc0xDSXi+HI5QP6GIS+/+bSc6NyMo88u91IDx

RexN09zSjh5xd+uXSZ0Znas/ifLCzFx8LPa2KYdjZNzMhYuUgDymawjxhetLorOh

8O7Sr5yHaqTUZULU2qf/OMbvG0HWEjFPSySJ3E5qv1bDOF/pP2vuBszRbeIYUYTK

g5+4taehCfrshm6dLHg0S2i71C4yhKhP4XvKK+VZbpR4u07RhWYQpgwSmRnZvGfw

fPpoJ3g4Fm6rrC/mNGTmsswqoV1bC8dUQiwhnAqwfGI6nO0fhmcp+IxfdXfirA==

-----END CERTIFICATE-----

---

Server certificate

subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=server.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 2258 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol : TLSv1.2

    Cipher : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 5ADDFC10FB5A4C75B6A8E19736252F5C4B904A693207C7AFB5F9FB6644EDD62A

    Session-ID-ctx:

    Master-Key: 7F16824A8319D9053089AE4A63AC3889E2759048484A9BDDE5CDE6DD655CB4489C4313AE20128DD2761B146C5F1FA7D6

    Key-Arg : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1524497423

    Timeout : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---


Why are you confusing SFTP and SSL?  They have nothing to do with each other.


So I don't know what you are testing....


SSL would be for HTTPS on port 443.


SFTP would be SSH and on port 2222 or 22.


What are you testing and what has an issue?

The issue is curl:

curl sftp://server.com:2222 -u userid:Passw0rd -T text.txt

Fails with "curl: (51) SSL peer certificate or SSH remote key was not OK"


This works: curl --insecure sftp://server.com:2222 -u userid:Passw0rd -T text.txt


What needs to be done so I can use curl without the --insecure flag?


OK, so you are doing SFTP, and SFTP always has a key signature its presenting that the client must trust.  Most SFTP clients trust this in their "known_hosts" file on the first occurrence.


You need to read up on curl's documentation on how to make it trusted.


This has nothing to do with SSL, or how SSL has trusted sights based on domain and the chain of signed certificates and so on.  So anything SSL related is pointless.


--Ben

Login to post a comment