z/OS Tools & Language

Expand all | Collapse all

Curl: (51) SSL: certificate subject name

  • 1.  Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 07:06

    Hello,
    I’m using your latest version of curl to connect to ssl url - the certificate authentication works not on all defined hosts
    The response on the command looks like this

    ./curl https://hnb-web.r-services.at:51000 -v

    • Rebuilt URL to: https://hnb-web.r-services.at:51000/
    • IDN support not present, can’t parse Unicode domains
    • Trying 10.15.34.115…
    • Connected to hnb-web.r-services.at (10.15.34.115) port 51000 (#0)
    • ALPN, offering http/1.1
    • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    • successfully set certificate verify locations:
    • CAfile: /usr/lpp/ported/share/curl-ca-bundle.crt
      CApath: none
    • TLSv1.2, TLS Unknown, Unknown (22):
    • TLSv1.2, TLS handshake, Client hello (1):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, Server hello (2):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, CERT (11):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, Server finished (14):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, Client key exchange (16):
    • SSLv2, Unknown (20):
    • TLSv1.2, TLS change cipher, Client hello (1):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, Finished (20):
    • SSLv2, Unknown (20):
    • TLSv1.2, TLS change cipher, Client hello (1):
    • SSLv2, Unknown (22):
    • TLSv1.2, TLS handshake, Finished (20):
    • SSL connection using TLSv1.2 / AES256-SHA
    • ALPN, server did not agree to a protocol
    • Server certificate:
    •    subject: C=AT; ST=Vienna; L=Vienna; O=xxxxxxxxxxxx GmbH; OU=Web Services; CN=xxx-web.r-services.at
      
    •    start date: 2013-06-14 08:29:06 GMT
      
    •    expire date: 2018-06-13 08:29:06 GMT
      
    • SSL: certificate subject name ‘▒▒▒▒▒▒K▒▒▒▒▒▒▒▒▒K▒▒’ does not match target host name ‘hnb-web.r-services.at
    • Closing connection 0
    • SSLv2, Unknown (21):
    • TLSv1.2, TLS alert, Client hello (1):
      curl: (51) SSL: certificate subject name ‘▒▒▒▒▒▒K▒▒▒▒▒▒▒▒▒K▒▒’ does not match target host name ‘hnb-web.r-services.at

    with other hostname it works. I think the problem seems not to be the certificate but something with ebcdic ascii conversion. Any suggestion how to fix that.
    thank you
    Andi O.



  • 2.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 08:54

    I am experiencing the exact same scenario with curl. Can you please advise how or if you resolved your issue.

    Thanks in advance.

    marcop



  • 3.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 11:40

    We suggest that you retry the command, supplying the additional argument -k. This argument disables some of the checks, and might allow it to work.

    We would like to replicate this problem here. Can you suggest a public URL that might demonstrate this problem?

    We are not sure whether IDN support is required for this to work, unfortunately we do not currently have a version of curl that contains support for IDN.



  • 4.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 13:53

    Hello,

    Yes you are right - specifying the -k option is working but it is unsecure.
    Unfortunately all the url we are using not for public use. If you will need
    any documentation material I can create it for you.
    I do not know if really IDN might be the problem - because on the working
    and the not working command the verbose output says
    IDN support not present, can’t parse Unicode domains

    thank you for your assistance
    best regards
    Andi O.



  • 5.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 15:38

    My understanding is that it is a feature of curl and that you need to use –k or fix your certificate.



  • 6.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-28-2016 15:39


  • 7.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-29-2016 07:01

    Hello,

    sorry - I changed it to xxx - the url in the certificate matches to
    hnb-web.r-services.at

    regards
    Andi O.



  • 8.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-31-2016 14:22

    Fundamental problem here is that our cURL port does not support ASCII. We are planning to release another port of cURL with ASCII support but it will not be for another few months per our current schedule.



  • 9.  RE: Curl: (51) SSL: certificate subject name

    Posted 10-31-2016 16:33

    Hello,

    Yes - I think that points in the right direction.
    Can you provide me a testing version of the port as soon as you’ve got it.

    thank you
    best regards
    Andi O.