Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
NSS, custom CA, curl - client certificate authentification does not work, please help.
1,099 views
Skip to first unread message
Bogdan Rudas
Dec 10, 2013, 4:08:43 PM12/10/13
to
Hello.
Sorry, if this list is not NSS-related, but...
I'm migrating web server from Debian 7 (OpenSSL) to CentOS 6 (NSS 3.14.3-3)
There are some application that works with "Webmoney" payment system using libcurl.
I have following data in ASCII files:
1) Custom CA certificate from Webmoney - WM.crt
2) Client certificate - WM.cer
3) Password-protected client key - WM.key
So I'm starting with conversion:
1st, create empty database and check it:
$ mkdir NSS
$ certutil -N -d ./NSS
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
2nd, convert existing client certificate and client key to PKCS#12 using key password
$ openssl pkcs12 -export -in WM.cer -inkey WM.key -out WM.p12 -name "WM" -passin file:WM.passwd
Enter Export Password:
Verifying - Enter Export Password:
I set empty "Export Password", hope this is OK for migration.
3rd, import PKCS#12 into NSS and check it:
$ pk12util pk12util -i WM.p12 -d ./NSS
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
WM u,u,u
Than I imported Webmoney's CA into the database and check it:
$ certutil -d ./NSS -A -n CAWM -t "CT,," -a -i ./WM.crt
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CAWM CT,,
WM u,u,u
So I guess now I have all data in NSS DB, try to put it together:
$ SSL_DIR=/home/user/NSS/ curl -vvv --cacert CAWM --cert WM https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 91.200.28.159... connected
* Connected to w3s.wmtransfer.com (91.200.28.159) port 443 (#0)
* Initializing NSS with certpath: sql:/home/user/NSS/
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
Ooops...
Some info from 'man curl'
--cacert <CA certificate>
If curl is built against the NSS SSL library then this option tells curl the nickname of the CA certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.
-E/--cert <certificate[:password]>
If curl is built against the NSS SSL library then this option tells curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.
Well, let's get CA from file:
$ SSL_DIR=/home/user/NSS/ curl -vvv --cacert ./WM.crt -E WM https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 212.118.48.159... connected
* Connected to w3s.wmtransfer.com (212.118.48.159) port 443 (#0)
* Initializing NSS with certpath: sql:/home/user/NSS/
* CAfile: ./WM.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=w3s.wmtransfer.com,OU=WebMoney Web Service,O=WebMoney Transfer
* start date: Jun 04 20:46:54 2012 GMT
* expire date: Jun 04 20:56:54 2014 GMT
* common name: w3s.wmtransfer.com
* issuer: CN=WebMoney Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services
> GET /asp/XMLFindWMPurseCertNew.asp HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: w3s.wmtransfer.com
> Accept: */*
>
* NSS: client certificate not found: WM
< HTTP/1.1 403 Forbidden
Finally, I try with same basic files on OpenSSL'ed Debian 7:
curl -vvv --cacert ./WM.crt --cert ./WM.cer --key ./WM.key https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 91.200.28.159... connected
* Connected to w3s.wmtransfer.com (91.200.28.159) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: ./WM.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
* subject: O=WebMoney Transfer; OU=WebMoney Web Service; CN=w3s.wmtransfer.com
* start date: 2012-06-04 20:46:54 GMT
* expire date: 2014-06-04 20:56:54 GMT
* common name: w3s.wmtransfer.com (matched)
* issuer: OU=WM Transfer Certification Services; O=WM Transfer Ltd; CN=WebMoney Transfer Root CA
* SSL certificate verify ok.
> GET /asp/XMLFindWMPurseCertNew.asp HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: w3s.wmtransfer.com
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
....skipped....
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Before I will ask in libcurl or some CentOS mailing list, please help me ensure that NSS part of this work was done right.
Most of NSS commands was taken from here: http://directory.fedoraproject.org/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl.2FOpenSSL_certificates_with_mod_nss.3F
$ ldd `which curl`
linux-vdso.so.1 => (0x00007fffecbf1000)
libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007f26ca049000)
libidn.so.11 => /lib64/libidn.so.11 (0x00007f26c9e17000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f26c9bc9000)
librt.so.1 => /lib64/librt.so.1 (0x00007f26c99c1000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f26c977d000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f26c9496000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f26c926a000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f26c9066000)
libssl3.so => /usr/lib64/libssl3.so (0x00007f26c8e2e000)
libsmime3.so => /usr/lib64/libsmime3.so (0x00007f26c8c02000)
libnss3.so => /usr/lib64/libnss3.so (0x00007f26c88c5000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f26c8699000)
libplds4.so => /lib64/libplds4.so (0x00007f26c8495000)
libplc4.so => /lib64/libplc4.so (0x00007f26c8290000)
libnspr4.so => /lib64/libnspr4.so (0x00007f26c8051000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f26c7e34000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f26c7c30000)
libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007f26c7a07000)
libz.so.1 => /lib64/libz.so.1 (0x00007f26c77f1000)
libc.so.6 => /lib64/libc.so.6 (0x00007f26c745e000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f26c724e000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f26c7034000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f26c6e1a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f26ca2a6000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f26c6c0e000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f26c6a0b000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f26c67ad000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f26c6413000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f26c61dc000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f26c5fbc000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f26c5d50000)
If I should post this issue into some else mailing list or bug tracker - please advice me a correct one.
Thank you.
Sorry, if this list is not NSS-related, but...
I'm migrating web server from Debian 7 (OpenSSL) to CentOS 6 (NSS 3.14.3-3)
There are some application that works with "Webmoney" payment system using libcurl.
I have following data in ASCII files:
1) Custom CA certificate from Webmoney - WM.crt
2) Client certificate - WM.cer
3) Password-protected client key - WM.key
So I'm starting with conversion:
1st, create empty database and check it:
$ mkdir NSS
$ certutil -N -d ./NSS
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
2nd, convert existing client certificate and client key to PKCS#12 using key password
$ openssl pkcs12 -export -in WM.cer -inkey WM.key -out WM.p12 -name "WM" -passin file:WM.passwd
Enter Export Password:
Verifying - Enter Export Password:
I set empty "Export Password", hope this is OK for migration.
3rd, import PKCS#12 into NSS and check it:
$ pk12util pk12util -i WM.p12 -d ./NSS
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
WM u,u,u
Than I imported Webmoney's CA into the database and check it:
$ certutil -d ./NSS -A -n CAWM -t "CT,," -a -i ./WM.crt
$ certutil -L -d ./NSS
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CAWM CT,,
WM u,u,u
So I guess now I have all data in NSS DB, try to put it together:
$ SSL_DIR=/home/user/NSS/ curl -vvv --cacert CAWM --cert WM https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 91.200.28.159... connected
* Connected to w3s.wmtransfer.com (91.200.28.159) port 443 (#0)
* Initializing NSS with certpath: sql:/home/user/NSS/
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
Ooops...
Some info from 'man curl'
--cacert <CA certificate>
If curl is built against the NSS SSL library then this option tells curl the nickname of the CA certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.
-E/--cert <certificate[:password]>
If curl is built against the NSS SSL library then this option tells curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.
Well, let's get CA from file:
$ SSL_DIR=/home/user/NSS/ curl -vvv --cacert ./WM.crt -E WM https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 212.118.48.159... connected
* Connected to w3s.wmtransfer.com (212.118.48.159) port 443 (#0)
* Initializing NSS with certpath: sql:/home/user/NSS/
* CAfile: ./WM.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=w3s.wmtransfer.com,OU=WebMoney Web Service,O=WebMoney Transfer
* start date: Jun 04 20:46:54 2012 GMT
* expire date: Jun 04 20:56:54 2014 GMT
* common name: w3s.wmtransfer.com
* issuer: CN=WebMoney Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services
> GET /asp/XMLFindWMPurseCertNew.asp HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: w3s.wmtransfer.com
> Accept: */*
>
* NSS: client certificate not found: WM
< HTTP/1.1 403 Forbidden
Finally, I try with same basic files on OpenSSL'ed Debian 7:
curl -vvv --cacert ./WM.crt --cert ./WM.cer --key ./WM.key https://w3s.wmtransfer.com/asp/XMLFindWMPurseCertNew.asp
* About to connect() to w3s.wmtransfer.com port 443 (#0)
* Trying 91.200.28.159... connected
* Connected to w3s.wmtransfer.com (91.200.28.159) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: ./WM.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
* subject: O=WebMoney Transfer; OU=WebMoney Web Service; CN=w3s.wmtransfer.com
* start date: 2012-06-04 20:46:54 GMT
* expire date: 2014-06-04 20:56:54 GMT
* common name: w3s.wmtransfer.com (matched)
* issuer: OU=WM Transfer Certification Services; O=WM Transfer Ltd; CN=WebMoney Transfer Root CA
* SSL certificate verify ok.
> GET /asp/XMLFindWMPurseCertNew.asp HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: w3s.wmtransfer.com
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
....skipped....
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Before I will ask in libcurl or some CentOS mailing list, please help me ensure that NSS part of this work was done right.
Most of NSS commands was taken from here: http://directory.fedoraproject.org/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl.2FOpenSSL_certificates_with_mod_nss.3F
$ ldd `which curl`
linux-vdso.so.1 => (0x00007fffecbf1000)
libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007f26ca049000)
libidn.so.11 => /lib64/libidn.so.11 (0x00007f26c9e17000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f26c9bc9000)
librt.so.1 => /lib64/librt.so.1 (0x00007f26c99c1000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f26c977d000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f26c9496000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f26c926a000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f26c9066000)
libssl3.so => /usr/lib64/libssl3.so (0x00007f26c8e2e000)
libsmime3.so => /usr/lib64/libsmime3.so (0x00007f26c8c02000)
libnss3.so => /usr/lib64/libnss3.so (0x00007f26c88c5000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f26c8699000)
libplds4.so => /lib64/libplds4.so (0x00007f26c8495000)
libplc4.so => /lib64/libplc4.so (0x00007f26c8290000)
libnspr4.so => /lib64/libnspr4.so (0x00007f26c8051000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f26c7e34000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f26c7c30000)
libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007f26c7a07000)
libz.so.1 => /lib64/libz.so.1 (0x00007f26c77f1000)
libc.so.6 => /lib64/libc.so.6 (0x00007f26c745e000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f26c724e000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f26c7034000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f26c6e1a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f26ca2a6000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f26c6c0e000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f26c6a0b000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f26c67ad000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f26c6413000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f26c61dc000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f26c5fbc000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f26c5d50000)
If I should post this issue into some else mailing list or bug tracker - please advice me a correct one.
Thank you.
0 new messages