Disable cert revocation check in unix/linux using curl command - ssl

I am using curl command to invoke a rest service. It is as follows:
{curl -X POST --ssl-no-revoke --cacert xyz.pem -K urls.txt -H "Authorization:Basic XYZ" -H "Content-Type:application/json" -d #data.json}
The above command is used to hit the service using one way SSL and basic authorization. The data to be passed is enclosed in data.json file and the urls to be hit are enclosed in urls.txt file.
The above command works perfectly in Windows but when executed from linux, it says:
{curl: option --ssl-no-revoke: is unknown
curl: try 'curl --help' or 'curl --manual' for more information}
I want to disable certificate revocation checks altogether. It looks like {--ssl-no-revoke} works on Windows but not Unix/Linux.
Would like to know if any alternative.

ssl-no-revoke is Windows Only. The only alternative I'm aware of is to have a valid certificate or not use SSL.
https://curl.haxx.se/docs/manpage.html

Using a valid certificate is not always a solution as revocation checks will fail with a valid certificate too when there is no Internet connection (for example, in the presence of a captive portal).
One way is to disable certificate checking altogether, i.e.:
curl --insecure https://www.example.com
Note that this will greatly reduce the security as self signed certificates will also be accepted as well as revoked ones!

Related

curl command works but C program fails NSS: client certificate not found (nickname not specified)

there are a number of similar posts but I am trying to understand a little more than what those offer.
My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
curl -v --tlsv1.2 --cert ./service_cert.pem --key ./service_private.key "https://myserver"
But when I try to run my C program and examine the http client object I see this
errorBuffer = "NSS: client certificate not found (nickname not specified)
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
You need to import your client certificate into a NSS database, using certutil, and have your code use this database.
Reference:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

Curl and dialog popups

Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]

Curl request with ntlm authentication fails if password is set

I try to fetch some data from a Microsoft Dynamics Nav WebService.
This service uses the NTML authentication.
If I open the webservice url in a browser and use the given credentials everything works fine.
For setting up the environment for the WebService Client, I used the command line to check whether everything is working fine, I was, at a specific point, unable to authenticate.
Thats the command I am using:
curl --ntlm -u "DOMAIN\USERNAME" -k -v "http://hostname:port/instance/Odata/Company('CompanyName')/Customer"
The command will prompt for the password.
I copy in the password and everything is doing fine.
But when I use this command, with the password already included, it stops working and the authentication fails:
curl --ntlm -u "DOMAIN\USERNAME:PASSWORD" -k -v "http://hostname:port/instance/Odata/Company('CompanyName')/Customer"
The password contains some special chars, so I tried to use the percent encoding, which had no effect at all.
It is very difficult to research this kind of issue. Searching for curl + ntlm authentication issues provides a lot of results, but nothing is related to this specific kind of issue.
Does anyone of you guys already had experience with this kind of issue?
I had a problem with authentication because of cookies. I solved this containing cookies in txt file and using exactly this file through all requests. For example, after login request I saved this cookies:
curl -X POST -u username:password https://mysite/login -c cookies.txt
And with next request I used this file like this:
curl -X POST -u username:password https://mysite/link -b cookies.txt
This solution worked for me, I don't know if your problem is similar, but, I think, you may try this.
I was struggling with similar issue for a long time and finally I found this curl bug report #1253 NTLM authentication fails when password contains special characters (british pound symbol £) .
NTLM authentication in cURL supports only ASCII characters in passwords! This is still the case in version 7.50.1 on Ubuntu but I tested this on many different distributions and it is always the same. This bug also will break curl_init() in PHP (tested on PHP7). The only way to solve that is to avoid non ASCII characters in NTLM authentication passwords.
If you are using Python then you are lucky. Apparently Python developers rewrote cURL implementation and it works with non ASCII characters if you use HttpNtlmAuth package.
Try with nltm flag.
Something like this:
curl -v --proxy-nltm -u 'username:password' youproxy.com:8080 someURL
from > curl --help
-x, --proxy [PROTOCOL://]HOST[:PORT] Use proxy on given port
--proxy-anyauth Pick "any" proxy authentication method (H)
--proxy-basic Use Basic authentication on the proxy (H)
--proxy-digest Use Digest authentication on the proxy (H)
--proxy-negotiate Use Negotiate authentication on the proxy (H)
--proxy-ntlm Use NTLM authentication on the proxy (H)

Setting up a Docker registry with Letsencrypt certificate

I'm setting up a domain registry as described here:
https://docs.docker.com/registry/deploying/
I generated a certificate for docker.mydomain.com and started the docker using their command on my server:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
I've started the docker and pointed to certificates I obtained using letsencrypt (https://letsencrypt.org/).
Now, when I browse to https://docker.mydomain.com:5000/v2/ I will get a page with just '{}', with a green lock (succesful secure page request).
But when I try to do a docker login docker.mydomain.com:5000 from a different server I see a error in the registry docker:
TLS handshake error from xxx.xxx.xxx.xxx:51773: remote error: bad certificate
I've tried some different variations in setting up the certificates, and gotten errors like:
remote error: unknown certificate authority
and
tls: first record does not look like a TLS handshake
What am I missing?
Docker seams to not support SNI : https://github.com/docker/docker/issues/9969
Update : Docker now should support SNI.
It's mean, when connecting to your server during the tls transaction, the docker client do not specify the domain name, so your server show the default certificate.
The solution could be to change to default certificate of your server to be to one valid for the docker domain.
This site works only in browsers with SNI support.
To check if your (sub-)domain works with clients not SNI-aware, you can use ssllabs.com/ssltest : If you DONT see the message, "This site works only in browsers with SNI support. " then it will works.

LDAP over startTLS

I'm going to start TLS connection for LDAP. I have followed this link which uses gnuTLS tool for generating self-signed certificates.
Slapd starts well.
When i run the command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it shows my whole DIT structure.
But wen i run this command:
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldaps://122.129.79.69' -ZZ
it gives error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I'm new to LDAP. I don't have much understanding. Can anyone please explain what could be the issue?
Also i came to know conventional SSL certificates does not work well with LDAP. We have to create separate certificates for LDAP to startTLS connection. Is it the case?
looks like your commands are the same?
For StartTLS Use
ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://122.129.79.69' -ZZ
(ie not LDAPS) when using StartTLS.
-jim