Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

HTTP & TLS with -cafile or -certfile options

597 views
Skip to first unread message

Alexandru

unread,
Jun 24, 2015, 9:05:43 AM6/24/15
to
I'm not sure I understand the difference between the -cafile and -certfile option of the command:

[code]
::http::register https 443 [list ::tls::socket -require 0 -request 0 -ssl2 0 -ssl3 0 -tls1 1 -cafile $cafile -certfile $certfile]
[/code

Is it so, that if my certificate file (public.crt) was signed by a CA liek VerySign then I must only use the option -cafile? And if I have a self signed certificate, then I must use the option -certfile?

Erik Leunissen

unread,
Jun 24, 2015, 4:51:43 PM6/24/15
to
On 24/06/15 15:05, Alexandru wrote:
> I'm not sure I understand the difference between the -cafile and
> -certfile option of the command:
>

"-certfile" relates to the certificate that identifies client (likewise
server) for the https connection. "-cafile" relates to the certificate
of the Certication Authority (CA) that signed the client/server certificate.


> [code] ::http::register https 443 [list ::tls::socket -require 0
> -request 0 -ssl2 0 -ssl3 0 -tls1 1 -cafile $cafile -certfile
> $certfile] [/code
>
> Is it so, that if my certificate file (public.crt) was signed by a CA
> liek VerySign then I must only use the option -cafile? And if I have
> a self signed certificate, then I must use the option -certfile?
>

You need to specify the location of both these certificates, regardless
who the CA is, i.e. regardless whether the client/server certificate is
self-signed.

Of course it's best if you understand the logic for this. If you feel
there's an obstacle here, it's best to read up on:
- asymmetric cryptography and
- Public Key Infrastructure (PKI)

Internet provides many sources for that. You might start with:

https://pki-tutorial.readthedocs.org/en/latest/


HTH,

Erik Leunissen
--
elns@ nl | Merge the left part of these two lines into one,
xs4all. | respecting a character's position in a line.

Erik Leunissen

unread,
Jun 27, 2015, 5:30:51 AM6/27/15
to
On 24/06/15 22:50, Erik Leunissen wrote:
> ... You need to specify the location of both these certificates,
> regardless who the CA is, i.e. regardless whether the client/server
> certificate is self-signed.
>...

Uhmm, I meant:

"You need to specify the location of both these certificates,
regardless who the CA is, and regardless whether the CA certificate is
self-signed."

Erik.
Message has been deleted

Alexandru

unread,
Jun 29, 2015, 4:56:42 AM6/29/15
to
Hi Erik,

thank you for your help.

My CA is Verisign. After reading the information at the link you sent me, I downloaded the root certificate from the Verisign website (Class-3-Public-Primary-Certification-Authority-G2.pem). This is my CAfile, right?

Then I did this:

[code]
set certfile [file join $sourcedir ssl public.crt]
set cafile [file join $sourcedir ssl Class-3-Public-Primary-Certification-Authority-G2.pem]
::http::register https 443 [list ::tls::socket -require 1 -request 1 -ssl2 0 -ssl3 0 -tls1 1 -cafile $cafile -certfile $certfile]
[/code]

My application tries to communicate with my server an returns following errors:

An error occurred while trying to communicate with https://141.../cgi-bin/...
unable to set public key file L:/.../ssl/public.crt no start line
An error occurred while trying to communicate with https://.../cgi-bin/...
unable to set public key file L:/.../ssl/public.crt PEM lib

Any ideas?

Erik Leunissen

unread,
Jul 1, 2015, 11:38:11 AM7/1/15
to
On 29/06/15 10:56, Alexandru wrote:
> Hi Erik,
>
> thank you for your help.
>
> My CA is Verisign. After reading the information at the link you sent
> me, I downloaded the root certificate from the Verisign website
> (Class-3-Public-Primary-Certification-Authority-G2.pem). This is my
> CAfile, right?

I believe so.

>
> Then I did this:
>
> [code] set certfile [file join $sourcedir ssl public.crt] set cafile
> [file join $sourcedir ssl
> Class-3-Public-Primary-Certification-Authority-G2.pem]
> ::http::register https 443 [list ::tls::socket -require 1 -request 1
> -ssl2 0 -ssl3 0 -tls1 1 -cafile $cafile -certfile $certfile] [/code]
>
> My application tries to communicate with my server an returns
> following errors:
>
> An error occurred while trying to communicate with
> https://141.../cgi-bin/... unable to set public key file
> L:/.../ssl/public.crt no start line An error occurred while trying to
> communicate with https://.../cgi-bin/... unable to set public key
> file L:/.../ssl/public.crt PEM lib
>
> Any ideas?
>

Well that would amount to guessing. You cannot count on the value of
that. Anyway, instinctively, I'm thinking of:
1. a readable permissions problem
2. the certificate has the wrong format (PEM/DER/CRT) or contents
(includes too many or too few keys)

Erik

Alexandru

unread,
Jul 1, 2015, 3:20:38 PM7/1/15
to
Am Mittwoch, 1. Juli 2015 17:38:11 UTC+2 schrieb Erik Leunissen:
> Well that would amount to guessing. You cannot count on the value of
> that. Anyway, instinctively, I'm thinking of:
> 1. a readable permissions problem
> 2. the certificate has the wrong format (PEM/DER/CRT) or contents
> (includes too many or too few keys)
>

In the meantime I have isolated the problem to the following error:

error reading "sock560": operation not supported on socket

The error about verifying the certificate resides from this error, because I had used catch to catch errors and that changed the behavior of the displayed errors.

For this reason I opened a new thread. Please read this: https://groups.google.com/forum/#!topic/comp.lang.tcl/Lr2HbXKLeO8

Thank you!
0 new messages