From nobody Fri Feb 28 07:06:39 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z3zlt1Vnhz5Vhxk for ; Fri, 28 Feb 2025 07:06:50 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from mail.flex-it.com.ua (mail.flex-it.com.ua [193.239.74.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z3zls1kxtz414Z for ; Fri, 28 Feb 2025 07:06:49 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of shuriku@shurik.kiev.ua designates 193.239.74.7 as permitted sender) smtp.mailfrom=shuriku@shurik.kiev.ua Received: from 93.183.208.50.ipv4.datagroup.ua ([93.183.208.50] helo=[192.168.200.135]) by mail.flex-it.com.ua with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.98.1 (FreeBSD)) (envelope-from ) id 1tnuSF-000000009a5-32Ky for freebsd-security@freebsd.org; Fri, 28 Feb 2025 09:06:39 +0200 Content-Type: multipart/alternative; boundary="------------0w2a0dml5txGOrm70vs9OL5R" Message-ID: <3c90f42a-6ef7-4f9e-b695-d4d23879881f@shurik.kiev.ua> Date: Fri, 28 Feb 2025 09:06:39 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: False positive To: freebsd-security@freebsd.org References: Content-Language: uk-UA From: Oleksandr Kryvulia In-Reply-To: X-ACL-Warn: SPF failed. 93.183.208.50 is not allowed to send mail from shurik.kiev.ua. X-Spamd-Result: default: False [2.09 / 15.00]; URI_COUNT_ODD(1.00)[13]; NEURAL_SPAM_MEDIUM(0.98)[0.978]; NEURAL_SPAM_LONG(0.96)[0.959]; NEURAL_HAM_SHORT(-0.54)[-0.545]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:35297, ipnet:193.239.72.0/22, country:UA]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[shurik.kiev.ua]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4Z3zls1kxtz414Z X-Spamd-Bar: ++ This is a multi-part message in MIME format. --------------0w2a0dml5txGOrm70vs9OL5R Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit 27.02.25 19:06, The Doctor: > On Thu, Feb 27, 2025 at 07:14:14AM +0200, Oleksandr Kryvulia wrote: >> 26.02.25 22:51, The Doctor: >>> This main server is seeing >>> >>> curl -v -v -v -v -v -v -v -v -v -v -v -vhttps://gateway.moneris.com/chktv2/request/request.php >>> * !!! WARNING !!! >>> * This is a debug build of libcurl, do not use in production. >>> * STATE: INIT => SETUP handle 0x15e5070d7808; line 2393 >>> * STATE: SETUP => CONNECT handle 0x15e5070d7808; line 2409 >>> * Added connection 0. The cache now contains 1 members >>> * STATE: CONNECT => RESOLVING handle 0x15e5070d7808; line 2308 >>> * Curl_multi_closed, fd=4 multi is 0x15e507095008 >>> * Curl_multi_closed, fd=4 entry is 0x15e507010508 >>> * Host gateway.moneris.com:443 was resolved. >>> * IPv6: (none) >>> * IPv4: 23.249.192.196 >>> * STATE: RESOLVING => CONNECTING handle 0x15e5070d7808; line 2266 >>> * Trying 23.249.192.196:443... >>> * ALPN: curl offers h2,http/1.1 >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>> * TLSv1.2 (OUT), TLS alert, unknown CA (560): >>> * SSL certificate problem: self-signed certificate in certificate chain >>> * multi_done[CONNECTING]: status: 60 prem: 1 done: 0 >>> * multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0 >>> * Curl_disconnect(conn #0, aborted=1) >>> * closing connection #0 >>> * [CCACHE] closing #0 >>> * Curl_multi_closed, fd=4 multi is 0x15e507095008 >>> * Curl_multi_closed, fd=4 entry is (nil) >>> * [CCACHE] trigger multi connchanged >>> curl: (60) SSL certificate problem: self-signed certificate in certificate chain >>> More details here:https://curl.se/docs/sslcerts.html >>> >>> curl failed to verify the legitimacy of the server and therefore could not >>> establish a secure connection to it. To learn more about this situation and >>> how to fix it, please visit the webpage mentioned above. >>> >>> >>> yet wen I check against KAli, the server >>> says the certificate is correct. >>> >>> What could have gone wrong? >>> >> I do not have this problem. ftp/curl built fom latest packages, version >> 8.12.1. >> >> % curl -v -v -v -v -v -v -v -v -v -v -v -v >> https://gateway.moneris.com/chktv2/request/request.php >> * Host gateway.moneris.com:443 was resolved. >> * IPv6: (none) >> * IPv4: 23.249.192.196 >> *???? Trying 23.249.192.196:443... >> * ALPN: curl offers h2,http/1.1 >> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> * TLSv1.3 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / >> rsaEncryption >> * ALPN: server did not agree on a protocol. Uses default. >> * Server certificate: >> *?? subject: C=CA; ST=Ontario; L=Etobicoke; O=Moneris Solutions Corporation; >> CN=gateway.moneris.com >> *?? start date: Sep 20 14:46:33 2024 GMT >> *?? expire date: Oct 19 14:46:32 2025 GMT >> *?? subjectAltName: host "gateway.moneris.com" matched cert's >> "gateway.moneris.com" >> *?? issuer: C=US; O=Entrust, Inc.; OU=Seewww.entrust.net/legal-terms; >> OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust >> Certification Authority - L1K >> *?? SSL certificate verify ok. >> *???? Certificate level 0: Public key type RSA (2048/112 Bits/secBits), >> signed using sha256WithRSAEncryption >> *???? Certificate level 1: Public key type RSA (2048/112 Bits/secBits), >> signed using sha256WithRSAEncryption >> *???? Certificate level 2: Public key type RSA (2048/112 Bits/secBits), >> signed using sha1WithRSAEncryption >> * Connected to gateway.moneris.com (23.249.192.196) port 443 >> * using HTTP/1.x >>> GET /chktv2/request/request.php HTTP/1.1 >>> Host: gateway.moneris.com >>> User-Agent: curl/8.12.1 >>> Accept: */* >>> >> * Request completely sent off >> < HTTP/1.1 200 OK >> < Date: Thu, 27 Feb 2025 05:05:51 GMT >> < Set-Cookie: GWID=5r08cio9drsdgp3ht14vh5gm07; path=/; secure; HttpOnly >> < Expires: Thu, 19 Nov 1981 08:52:00 GMT >> < Cache-Control: no-store, no-cache, must-revalidate >> < Pragma: no-cache >> < Content-Length: 120 >> < Content-Type: application/json >> < Set-Cookie: TS019fcda0=015a7b8a0ba69d7487449af4e6244b5af029cd371252f3c29241d62c4f336e79130a22ac475f4f7fcfd170687cac1a3d9f3c133aa286fa274318844792223c93e9b50193bc; >> Path=/; Domain=.gateway.moneris.com; Secure; >> < >> Exception: Invalid JSON input >> >> > Next question, either chatgpt or gemmini suggested rehash. > > How do I do a rehash if that is the problem? Do you have security/ca_root_nss installed? Or use curl -k to trust this certificate. --------------0w2a0dml5txGOrm70vs9OL5R Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
27.02.25 19:06, The Doctor:
On Thu, Feb 27, 2025 at 07:14:14AM +0200, Oleksandr Kryvulia wrote:

26.02.25 22:51, The Doctor:

This main server is seeing

curl -v -v -v -v -v -v -v -v -v -v -v -v  https://gateway.moneris.com/chktv2/request/request.php
* !!! WARNING !!!
* This is a debug build of libcurl, do not use in production.
* STATE: INIT => SETUP handle 0x15e5070d7808; line 2393
* STATE: SETUP => CONNECT handle 0x15e5070d7808; line 2409
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => RESOLVING handle 0x15e5070d7808; line 2308
* Curl_multi_closed, fd=4 multi is 0x15e507095008
* Curl_multi_closed, fd=4 entry is 0x15e507010508
* Host gateway.moneris.com:443 was resolved.
* IPv6: (none)
* IPv4: 23.249.192.196
* STATE: RESOLVING => CONNECTING handle 0x15e5070d7808; line 2266
*   Trying 23.249.192.196:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate in certificate chain
* multi_done[CONNECTING]: status: 60 prem: 1 done: 0
* multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0
* Curl_disconnect(conn #0, aborted=1)
* closing connection #0
* [CCACHE] closing #0
* Curl_multi_closed, fd=4 multi is 0x15e507095008
* Curl_multi_closed, fd=4 entry is (nil)
* [CCACHE] trigger multi connchanged
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.


yet wen I check against KAli, the server
says the certificate is correct.

What could have gone wrong?


I do not have this problem. ftp/curl built fom latest packages, version
8.12.1.

% curl -v -v -v -v -v -v -v -v -v -v -v -v
https://gateway.moneris.com/chktv2/request/request.php
* Host gateway.moneris.com:443 was resolved.
* IPv6: (none)
* IPv4: 23.249.192.196
*???? Trying 23.249.192.196:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 /
rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*?? subject: C=CA; ST=Ontario; L=Etobicoke; O=Moneris Solutions Corporation;
CN=gateway.moneris.com
*?? start date: Sep 20 14:46:33 2024 GMT
*?? expire date: Oct 19 14:46:32 2025 GMT
*?? subjectAltName: host "gateway.moneris.com" matched cert's
"gateway.moneris.com"
*?? issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms;
OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust
Certification Authority - L1K
*?? SSL certificate verify ok.
*???? Certificate level 0: Public key type RSA (2048/112 Bits/secBits),
signed using sha256WithRSAEncryption
*???? Certificate level 1: Public key type RSA (2048/112 Bits/secBits),
signed using sha256WithRSAEncryption
*???? Certificate level 2: Public key type RSA (2048/112 Bits/secBits),
signed using sha1WithRSAEncryption
* Connected to gateway.moneris.com (23.249.192.196) port 443
* using HTTP/1.x

GET /chktv2/request/request.php HTTP/1.1
Host: gateway.moneris.com
User-Agent: curl/8.12.1
Accept: */*


* Request completely sent off
< HTTP/1.1 200 OK
< Date: Thu, 27 Feb 2025 05:05:51 GMT
< Set-Cookie: GWID=5r08cio9drsdgp3ht14vh5gm07; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Length: 120
< Content-Type: application/json
< Set-Cookie: TS019fcda0=015a7b8a0ba69d7487449af4e6244b5af029cd371252f3c29241d62c4f336e79130a22ac475f4f7fcfd170687cac1a3d9f3c133aa286fa274318844792223c93e9b50193bc;
Path=/; Domain=.gateway.moneris.com; Secure;
<
Exception: Invalid JSON input



Next question, either chatgpt or gemmini suggested rehash.

How do I do a rehash if that is the problem?

Do you have security/ca_root_nss installed? Or use curl -k to trust this certificate.
 --------------0w2a0dml5txGOrm70vs9OL5R--