Date: Fri, 28 Feb 2025 09:06:39 +0200 From: Oleksandr Kryvulia <shuriku@shurik.kiev.ua> To: freebsd-security@freebsd.org Subject: Re: False positive Message-ID: <3c90f42a-6ef7-4f9e-b695-d4d23879881f@shurik.kiev.ua> In-Reply-To: <Z8Cbp1-PqfNiv99b@doctor.nl2k.ab.ca> References: <Z79-4aGRtz5Lwi22@doctor.nl2k.ab.ca> <aaf7507e-4953-4376-b7f1-27b200841b36@shurik.kiev.ua> <Z8Cbp1-PqfNiv99b@doctor.nl2k.ab.ca>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] 27.02.25 19:06, The Doctor: > On Thu, Feb 27, 2025 at 07:14:14AM +0200, Oleksandr Kryvulia wrote: >> 26.02.25 22:51, The Doctor: >>> This main server is seeing >>> >>> curl -v -v -v -v -v -v -v -v -v -v -v -vhttps://gateway.moneris.com/chktv2/request/request.php >>> * !!! WARNING !!! >>> * This is a debug build of libcurl, do not use in production. >>> * STATE: INIT => SETUP handle 0x15e5070d7808; line 2393 >>> * STATE: SETUP => CONNECT handle 0x15e5070d7808; line 2409 >>> * Added connection 0. The cache now contains 1 members >>> * STATE: CONNECT => RESOLVING handle 0x15e5070d7808; line 2308 >>> * Curl_multi_closed, fd=4 multi is 0x15e507095008 >>> * Curl_multi_closed, fd=4 entry is 0x15e507010508 >>> * Host gateway.moneris.com:443 was resolved. >>> * IPv6: (none) >>> * IPv4: 23.249.192.196 >>> * STATE: RESOLVING => CONNECTING handle 0x15e5070d7808; line 2266 >>> * Trying 23.249.192.196:443... >>> * ALPN: curl offers h2,http/1.1 >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>> * TLSv1.2 (OUT), TLS alert, unknown CA (560): >>> * SSL certificate problem: self-signed certificate in certificate chain >>> * multi_done[CONNECTING]: status: 60 prem: 1 done: 0 >>> * multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0 >>> * Curl_disconnect(conn #0, aborted=1) >>> * closing connection #0 >>> * [CCACHE] closing #0 >>> * Curl_multi_closed, fd=4 multi is 0x15e507095008 >>> * Curl_multi_closed, fd=4 entry is (nil) >>> * [CCACHE] trigger multi connchanged >>> curl: (60) SSL certificate problem: self-signed certificate in certificate chain >>> More details here:https://curl.se/docs/sslcerts.html >>> >>> curl failed to verify the legitimacy of the server and therefore could not >>> establish a secure connection to it. To learn more about this situation and >>> how to fix it, please visit the webpage mentioned above. >>> >>> >>> yet wen I check against KAli, the server >>> says the certificate is correct. >>> >>> What could have gone wrong? >>> >> I do not have this problem. ftp/curl built fom latest packages, version >> 8.12.1. >> >> % curl -v -v -v -v -v -v -v -v -v -v -v -v >> https://gateway.moneris.com/chktv2/request/request.php >> * Host gateway.moneris.com:443 was resolved. >> * IPv6: (none) >> * IPv4: 23.249.192.196 >> *???? Trying 23.249.192.196:443... >> * ALPN: curl offers h2,http/1.1 >> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> * TLSv1.3 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / >> rsaEncryption >> * ALPN: server did not agree on a protocol. Uses default. >> * Server certificate: >> *?? subject: C=CA; ST=Ontario; L=Etobicoke; O=Moneris Solutions Corporation; >> CN=gateway.moneris.com >> *?? start date: Sep 20 14:46:33 2024 GMT >> *?? expire date: Oct 19 14:46:32 2025 GMT >> *?? subjectAltName: host "gateway.moneris.com" matched cert's >> "gateway.moneris.com" >> *?? issuer: C=US; O=Entrust, Inc.; OU=Seewww.entrust.net/legal-terms; >> OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust >> Certification Authority - L1K >> *?? SSL certificate verify ok. >> *???? Certificate level 0: Public key type RSA (2048/112 Bits/secBits), >> signed using sha256WithRSAEncryption >> *???? Certificate level 1: Public key type RSA (2048/112 Bits/secBits), >> signed using sha256WithRSAEncryption >> *???? Certificate level 2: Public key type RSA (2048/112 Bits/secBits), >> signed using sha1WithRSAEncryption >> * Connected to gateway.moneris.com (23.249.192.196) port 443 >> * using HTTP/1.x >>> GET /chktv2/request/request.php HTTP/1.1 >>> Host: gateway.moneris.com >>> User-Agent: curl/8.12.1 >>> Accept: */* >>> >> * Request completely sent off >> < HTTP/1.1 200 OK >> < Date: Thu, 27 Feb 2025 05:05:51 GMT >> < Set-Cookie: GWID=5r08cio9drsdgp3ht14vh5gm07; path=/; secure; HttpOnly >> < Expires: Thu, 19 Nov 1981 08:52:00 GMT >> < Cache-Control: no-store, no-cache, must-revalidate >> < Pragma: no-cache >> < Content-Length: 120 >> < Content-Type: application/json >> < Set-Cookie: TS019fcda0=015a7b8a0ba69d7487449af4e6244b5af029cd371252f3c29241d62c4f336e79130a22ac475f4f7fcfd170687cac1a3d9f3c133aa286fa274318844792223c93e9b50193bc; >> Path=/; Domain=.gateway.moneris.com; Secure; >> < >> Exception: Invalid JSON input >> >> > Next question, either chatgpt or gemmini suggested rehash. > > How do I do a rehash if that is the problem? Do you have security/ca_root_nss installed? Or use curl -k to trust this certificate. [-- Attachment #2 --] <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <div class="moz-cite-prefix">27.02.25 19:06, The Doctor:<br> </div> <blockquote type="cite" cite="mid:Z8Cbp1-PqfNiv99b@doctor.nl2k.ab.ca"> <pre wrap="" class="moz-quote-pre">On Thu, Feb 27, 2025 at 07:14:14AM +0200, Oleksandr Kryvulia wrote: </pre> <blockquote type="cite"> <pre wrap="" class="moz-quote-pre">26.02.25 22:51, The Doctor: </pre> <blockquote type="cite"> <pre wrap="" class="moz-quote-pre">This main server is seeing curl -v -v -v -v -v -v -v -v -v -v -v -v <a class="moz-txt-link-freetext" href="https://gateway.moneris.com/chktv2/request/request.php">https://gateway.moneris.com/chktv2/request/request.php</a>; * !!! WARNING !!! * This is a debug build of libcurl, do not use in production. * STATE: INIT => SETUP handle 0x15e5070d7808; line 2393 * STATE: SETUP => CONNECT handle 0x15e5070d7808; line 2409 * Added connection 0. The cache now contains 1 members * STATE: CONNECT => RESOLVING handle 0x15e5070d7808; line 2308 * Curl_multi_closed, fd=4 multi is 0x15e507095008 * Curl_multi_closed, fd=4 entry is 0x15e507010508 * Host gateway.moneris.com:443 was resolved. * IPv6: (none) * IPv4: 23.249.192.196 * STATE: RESOLVING => CONNECTING handle 0x15e5070d7808; line 2266 * Trying 23.249.192.196:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self-signed certificate in certificate chain * multi_done[CONNECTING]: status: 60 prem: 1 done: 0 * multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0 * Curl_disconnect(conn #0, aborted=1) * closing connection #0 * [CCACHE] closing #0 * Curl_multi_closed, fd=4 multi is 0x15e507095008 * Curl_multi_closed, fd=4 entry is (nil) * [CCACHE] trigger multi connchanged curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: <a class="moz-txt-link-freetext" href="https://curl.se/docs/sslcerts.html">https://curl.se/docs/sslcerts.html</a>; curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above. yet wen I check against KAli, the server says the certificate is correct. What could have gone wrong? </pre> </blockquote> <pre wrap="" class="moz-quote-pre">I do not have this problem. ftp/curl built fom latest packages, version 8.12.1. % curl -v -v -v -v -v -v -v -v -v -v -v -v <a class="moz-txt-link-freetext" href="https://gateway.moneris.com/chktv2/request/request.php">https://gateway.moneris.com/chktv2/request/request.php</a>; * Host gateway.moneris.com:443 was resolved. * IPv6: (none) * IPv4: 23.249.192.196 *???? Trying 23.249.192.196:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption * ALPN: server did not agree on a protocol. Uses default. * Server certificate: *?? subject: C=CA; ST=Ontario; L=Etobicoke; O=Moneris Solutions Corporation; CN=gateway.moneris.com *?? start date: Sep 20 14:46:33 2024 GMT *?? expire date: Oct 19 14:46:32 2025 GMT *?? subjectAltName: host "gateway.moneris.com" matched cert's "gateway.moneris.com" *?? issuer: C=US; O=Entrust, Inc.; OU=See <a class="moz-txt-link-abbreviated" href="http://www.entrust.net/legal-terms">www.entrust.net/legal-terms</a>; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K *?? SSL certificate verify ok. *???? Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption *???? Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption *???? Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption * Connected to gateway.moneris.com (23.249.192.196) port 443 * using HTTP/1.x </pre> <blockquote type="cite"> <pre wrap="" class="moz-quote-pre">GET /chktv2/request/request.php HTTP/1.1 Host: gateway.moneris.com User-Agent: curl/8.12.1 Accept: */* </pre> </blockquote> <pre wrap="" class="moz-quote-pre">* Request completely sent off < HTTP/1.1 200 OK < Date: Thu, 27 Feb 2025 05:05:51 GMT < Set-Cookie: GWID=5r08cio9drsdgp3ht14vh5gm07; path=/; secure; HttpOnly < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Content-Length: 120 < Content-Type: application/json < Set-Cookie: TS019fcda0=015a7b8a0ba69d7487449af4e6244b5af029cd371252f3c29241d62c4f336e79130a22ac475f4f7fcfd170687cac1a3d9f3c133aa286fa274318844792223c93e9b50193bc; Path=/; Domain=.gateway.moneris.com; Secure; < Exception: Invalid JSON input </pre> </blockquote> <pre wrap="" class="moz-quote-pre"> Next question, either chatgpt or gemmini suggested rehash. How do I do a rehash if that is the problem? </pre> </blockquote> <br> Do you have <span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff;">security/ca_root_nss installed? Or use curl -k to trust this certificate.</span><br> </span> </body> </html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c90f42a-6ef7-4f9e-b695-d4d23879881f>