From owner-freebsd-security@FreeBSD.ORG Wed Apr 8 00:53:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E6BFC68 for ; Wed, 8 Apr 2015 00:53:52 +0000 (UTC) Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 066E8909 for ; Wed, 8 Apr 2015 00:53:51 +0000 (UTC) Received: by iggg4 with SMTP id g4so27436171igg.0 for ; Tue, 07 Apr 2015 17:53:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=UaCswRQ5R6eqeuKugDaI2GcfmxtTPlVjrrKNfP5LKUE=; b=IPYgIx1+1Qybj40WzZVVdRERuHwrWQhgcJZNFBGxwfdGazlRDFByk+XG2eZkwVsk/C eGe7F1y2FUGQFfNGknR9UNobFyyAVpNMVSc14DI3N0XjAn0aMYfKMMTABxOEwnbM1qk1 rIiv0RTHfZ3JdFFUVrf23eurSn2yBgtmpJTMEraQU4wqlzIZV/Y4Sc+4BuD+wTe6gJHd BehN9NKppOtafWYT1TZZwtDLGOxG+uXFOURH9uxw5Gwrz9IJyINkyOdOvZz1443XXWdi WSHp6ySVyJPYjlyoXYgT9LVujSjzF7tIb+Tyiwl/f3JNaNpTXMfeGgAztZyeY9WWtMuy nKIA== X-Gm-Message-State: ALoCoQnFebZoq2hEQMEWPtDLIAal828ZKmCGStn5TVA5VJkmjyyr37zOHPi2hCyZJO5RpQyPtV56 MIME-Version: 1.0 X-Received: by 10.42.147.9 with SMTP id l9mr28962162icv.41.1428454425065; Tue, 07 Apr 2015 17:53:45 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 17:53:44 -0700 (PDT) In-Reply-To: <552479C4.4030108@obluda.cz> References: <5524525D.50500@obluda.cz> <55245C8B.3020303@obluda.cz> <552479C4.4030108@obluda.cz> Date: Tue, 7 Apr 2015 20:53:44 -0400 Message-ID: Subject: Re: openssl certificates From: el kalin To: Dan Lukes , freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Apr 2015 00:53:52 -0000 On Tue, Apr 7, 2015 at 8:43 PM, Dan Lukes wrote: > el kalin wrote: > > thanks dan=E2=80=A6 i have added the certs to the ca-root-nss.crt. it = still > > doesn't help much in my case. > > You didn't described your's issue in the original post. > > > the problem really is that i can not get any https requests from a > freebsd > > 10 box using a third party signed certificate with my private key and > their > > ca certs to work. mostly testing with wget on the command line (it's a > > remote machine) like: > > > > wget --verbose --no-cookies --certificate=3Dlocal.pem > > --ca-certificate=3D/usr/local/share/ca-root-nss.crt " > > https://domain.org/soapservice.asmx?WSDL" > > Well ... > > 1. wget is third party utility, not the native FreeBSD one, so if it is > wget's issue, you should as wget's authors/support team. But don't > forget local.pem should contain private key as well as certificate. they are both together - the signed certificate and the key... > > this is for a soap call. and the local.pem is a conversion from a pkcs1= 2 > > file. every time i do that i get: > > HTTP request sent, awaiting response... 405 Method Not Allowed > > > does that mean that the web server actually verified the certificate an= d > > the problem is coming from the soap server application? > > 2. we don't know the true reason for "405 Method Not Allowed" response. > It has nothing to do with FreeBSD. It's matter of either configuration > of HTTP server software (another third party application) or SOAP > application. It may or may not be related to a certificate. The > administrator of the www server/SOAP application in question should help > you. We are unable to disclose a reason for particular behavior of > unknown SOAP application. > > For example, you may use wrong HTTP method to access the application > (just idea derived from error message). > i think it's just GET. like firefox does. > > i am able to make a successful requests to retrieve the wsdl using > firefox > > after importing the signed certificate=E2=80=A6 > > May be it is using correct method ? Just guessing ... > > > also when i test the certificates agains the server with: > > > > openssl s_client -cert local.pem -connect domain.org:443 -CAfile > > /usr/local/share/ca-root-nss.crt -debug > > > > i get to: > > > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > > > and then it just hangs, nothing happens - there is no a prompt back=E2= =80=A6 > > What kind of prompt you are wishing for ? You ordered connection to the > HTTPS server. You got it. Now you need to write a HTTP/SOAP request. > Then you can wish for a response. > > I can't tell you the SOAP request format. There's nothing like generic > SOAP request. It's matter of the application in question. Consult it's > documentation or ask the author. > > thank you. i think i have an idea of where to look for the answers next. appreciate your replies...