From nobody Thu Feb 27 05:14:14 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z3KJk5bZcz5pXhL
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Thu, 27 Feb 2025 05:14:30 +0000 (UTC)
	(envelope-from shuriku@shurik.kiev.ua)
Received: from mail.flex-it.com.ua (mail.flex-it.com.ua [193.239.74.7])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Z3KJj0fXpz3J71
	for <freebsd-security@freebsd.org>; Thu, 27 Feb 2025 05:14:29 +0000 (UTC)
	(envelope-from shuriku@shurik.kiev.ua)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of shuriku@shurik.kiev.ua designates 193.239.74.7 as permitted sender) smtp.mailfrom=shuriku@shurik.kiev.ua
Received: from [188.231.181.61] (helo=[10.2.1.129])
	by mail.flex-it.com.ua with esmtpsa  (TLS1.3) tls TLS_AES_128_GCM_SHA256
	(Exim 4.98.1 (FreeBSD))
	(envelope-from <shuriku@shurik.kiev.ua>)
	id 1tnWE0-00000000OH6-0K1H
	for freebsd-security@freebsd.org;
	Thu, 27 Feb 2025 07:14:20 +0200
Message-ID: <aaf7507e-4953-4376-b7f1-27b200841b36@shurik.kiev.ua>
Date: Thu, 27 Feb 2025 07:14:14 +0200
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: False positive
To: freebsd-security@freebsd.org
References: <Z79-4aGRtz5Lwi22@doctor.nl2k.ab.ca>
Content-Language: uk-UA
From: Oleksandr Kryvulia <shuriku@shurik.kiev.ua>
In-Reply-To: <Z79-4aGRtz5Lwi22@doctor.nl2k.ab.ca>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-ACL-Warn: SPF failed. 188.231.181.61 is not allowed to send mail from shurik.kiev.ua.
X-Spamd-Result: default: False [-1.48 / 15.00];
	NEURAL_HAM_LONG(-0.92)[-0.917];
	NEURAL_HAM_SHORT(-0.90)[-0.902];
	NEURAL_SPAM_MEDIUM(0.64)[0.636];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:35297, ipnet:193.239.72.0/22, country:UA];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_ONE(0.00)[1];
	MID_RHS_MATCH_FROM(0.00)[];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_NONE(0.00)[];
	DMARC_NA(0.00)[shurik.kiev.ua];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4Z3KJj0fXpz3J71
X-Spamd-Bar: -

26.02.25 22:51, The Doctor:
> This main server is seeing
>
> curl -v -v -v -v -v -v -v -v -v -v -v -v  https://gateway.moneris.com/chktv2/request/request.php
> * !!! WARNING !!!
> * This is a debug build of libcurl, do not use in production.
> * STATE: INIT => SETUP handle 0x15e5070d7808; line 2393
> * STATE: SETUP => CONNECT handle 0x15e5070d7808; line 2409
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => RESOLVING handle 0x15e5070d7808; line 2308
> * Curl_multi_closed, fd=4 multi is 0x15e507095008
> * Curl_multi_closed, fd=4 entry is 0x15e507010508
> * Host gateway.moneris.com:443 was resolved.
> * IPv6: (none)
> * IPv4: 23.249.192.196
> * STATE: RESOLVING => CONNECTING handle 0x15e5070d7808; line 2266
> *   Trying 23.249.192.196:443...
> * ALPN: curl offers h2,http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, unknown CA (560):
> * SSL certificate problem: self-signed certificate in certificate chain
> * multi_done[CONNECTING]: status: 60 prem: 1 done: 0
> * multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0
> * Curl_disconnect(conn #0, aborted=1)
> * closing connection #0
> * [CCACHE] closing #0
> * Curl_multi_closed, fd=4 multi is 0x15e507095008
> * Curl_multi_closed, fd=4 entry is (nil)
> * [CCACHE] trigger multi connchanged
> curl: (60) SSL certificate problem: self-signed certificate in certificate chain
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the webpage mentioned above.
>
>
> yet wen I check against KAli, the server
> says the certificate is correct.
>
> What could have gone wrong?
>
I do not have this problem. ftp/curl built fom latest packages, version 
8.12.1.

% curl -v -v -v -v -v -v -v -v -v -v -v -v 
https://gateway.moneris.com/chktv2/request/request.php
* Host gateway.moneris.com:443 was resolved.
* IPv6: (none)
* IPv4: 23.249.192.196
*   Trying 23.249.192.196:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / 
prime256v1 / rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Etobicoke; O=Moneris Solutions 
Corporation; CN=gateway.moneris.com
*  start date: Sep 20 14:46:33 2024 GMT
*  expire date: Oct 19 14:46:32 2025 GMT
*  subjectAltName: host "gateway.moneris.com" matched cert's 
"gateway.moneris.com"
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; 
OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust 
Certification Authority - L1K
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), 
signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), 
signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), 
signed using sha1WithRSAEncryption
* Connected to gateway.moneris.com (23.249.192.196) port 443
* using HTTP/1.x
 > GET /chktv2/request/request.php HTTP/1.1
 > Host: gateway.moneris.com
 > User-Agent: curl/8.12.1
 > Accept: */*
 >
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Thu, 27 Feb 2025 05:05:51 GMT
< Set-Cookie: GWID=5r08cio9drsdgp3ht14vh5gm07; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Length: 120
< Content-Type: application/json
< Set-Cookie: 
TS019fcda0=015a7b8a0ba69d7487449af4e6244b5af029cd371252f3c29241d62c4f336e79130a22ac475f4f7fcfd170687cac1a3d9f3c133aa286fa274318844792223c93e9b50193bc; 
Path=/; Domain=.gateway.moneris.com; Secure;
<
Exception: Invalid JSON input