HPE Community
Operating System - HP-UX
1846634 Members
1839 Online
110256 Solutions
New Discussion

Re: HTTPS over SSL for the product HP-UX

 
SOLVED
Go to solution
PK_1975
Frequent Advisor

‎05-20-2008 11:32 AM

‎05-20-2008 11:32 AM

Re: HTTPS over SSL for the product HP-UX

I converted the .pfx file in to .pem with both Certificate Segment and Private key Segment
Now I am trying to tell "openssl s_client" and "curl" that you have a client certificate that you are willing to use for authentication.
So I used this command.
openssl s_client -cert YourCertificateFile.pem -connect host:port
After using this command it is compiled but given an error like this
Verify return code: 19 (self signed certificate in certificate chain)

so, I am not able to download or upload the file by using command line in HP-UX

So , could u please help me to resolve this problem

Thanks
PK
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-20-2008 08:29 PM

‎05-20-2008 08:29 PM

Re: HTTPS over SSL for the product HP-UX

OK, so your SSL tools (both "openssl s_client" and "curl") must be told that they can trust this "GTE CyberTrust Solutions" that your client has chosen for his Certification Authority.

To do that, you need to get the root CA certificate(s) of GTE CyberTrust from some source you're willing to trust. The CA certificates are generally built in to web browsers and other SSL-using applications: you might be able to export the certificates from the browser. Or you might fetch them from GTE Cybertrust's web site:
http://cybertrust.omniroot.com/support/sureserver/root_install_ap.cfm

(As this page contains certificates intended for Apache, they are in PEM format: disregard the .crt extension.)

Or you might use the -showcerts option with the "openssl s_client" command, identify the correct certificate and store it in a file. If you do this, you have no guarantee that the CA certificate is really from GTE Cybertrust: you're basically giving up on trying to verify its authenticity and trusting it as-is.

After you have the correct CA certificate in PEM format in some file (let's call it CAcert.pem), the simplest solution is to add one more option to your commands.

For openssl s_client, the command becomes:

openssl s_client -CAfile CAcert.pem -cert YourCertificateFile.pem -connect host:port

For curl, the correct option is "--cacert CAcert.pem".

Now you must remember that your connection will stop working when any of the certificates expires. You should find out the expiration times and document them.

To read the information about a certificate stored in PEM file format, use this command:

openssl x509 -in SomeCertificate.pem -noout -text

MK
MK
Reply
PK_1975
Frequent Advisor

‎05-21-2008 05:09 AM

‎05-21-2008 05:09 AM

Re: HTTPS over SSL for the product HP-UX

HI

Could you tell me how to use user name and password in the command line to https

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-21-2008 09:56 PM

‎05-21-2008 09:56 PM

Re: HTTPS over SSL for the product HP-UX

You might actually want to read the man page of the "curl" command.

The option you need is "-u user:password". You may also have to specify one of --basic, --digest, --ntlm, --negotiate or --anyauth to specify HTTP(S) authentication type. "--anyauth" will automatically select the most secure authentication type the server allows.

There is no easy way to do this with "openssl s_client" because it only handles the SSL outer layer (the S in HTTPS). You would have to implement the HTTP-style authentication protocol yourself.

MK
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.