How to secure your REST service? Part 3 – Accessing SSL-secure service via cURL

If you access the HTTPS url via cURL, you will get the below error. This is curl’s way of warning you that the server certificate is self-signed and could not be validated against it’s ‘CA bundle’ (list of pre-downloaded certificates that are safe).

curl: (60) SSL certificate problem: self signed certificate
 More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
 If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
 If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

In our case since it is a self-signed certificate we created for manual purposes, we need to let cUrl know that is ok to communicate with this URL. There are 2 ways to do it:

  1. Using curl -k option to connect to the SSL site without certificate. Of course, this in not safe.
  2. Add our self-signed certificate to the default CA certificate bundle. Curl’s default CA bundle is stored in a file called ca-bundle.crt. If you don’t find it in your machine, there are couple of ways to get it.

(A) Download the generic version from curl website.
curl http://curl.haxx.se/ca/cacert.pem -o C:\Fig\ca-bundle.crt
(B) If you are not comfortable using the generic version, you can download the source code for curl from github and generate it locally as follows: (Reference: https://gist.github.com/jjb/996292)

git clone https://github.com/bagder/curl.git
cd curl/lib

//edit mk-ca-bundle.pl and change http to https in the below line:
my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

perl ./mk-ca-bundle.pl //creates the ca-bundle.crt file.

Before appending our certificate to the above ca-bundle.crt file, we need to first download the self-signed certificate from the server.
(1) Downloading server certificate locally

(a) From browser you can save the certificate directly in a .cer file. This file needs to be converted to PEM format using

C:\OpenSSL-Win64\bin\openssl x509 -inform DES -in c:\figserver.cer -out C:\figservercert.pem -text

(b) Via OpenSSL: enter below command with your own server name and HTTPS port. After the certificate details are printed on the console, type QUIT.

C:\apps\OpenSSL-Win64\bin\openssl s_client -connect localhost:8443]
(2) Copy & save the content between the BEGIN & END CERTIFICATE blocks (including BEGIN & END) and append it to ca-bundle.crt file.

Run the curl command now pointing to the local ca-bundle.crt file and access the SSL site.
curl -D- --cacert ./ca-bundle.crt -H "Authorization: Basic Zml6YWxhZG1pbjpmaXphbGFkbWlu" -X GET https://localhost:8443/Fig-0.0.1/fig/task/z4

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s