Re: Firefox 2.0.0.5 handling of binary files

On 2007-07-30 21:53:43 +0100, Clive <c_barrows@xxxxxxxxxxx> said:

curl performs SSL certificate verification by default, using a
"bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.


I must still be doing something wrong here, as the I don't get any
message about the certificate expiring when I just download log files.

SSL (which is what HTTPS uses) is a security mechanism that involves something called X.509. Essentially X.509 is a way of saying that company A has shown itself trustworthy to company B (usually involving payment :-), and can prove this by showing you a mathematically unforgeable certificate. (And potentially company B could have proved itself trustworthy to company C, etc etc) In X.509 lingo, company B is acting as a certificate authority, or CA.

Now the question is do *you* trust company B to verify company A?

Most web browsers (and OSes) ship with a bunch of certificates from companies like B, and are configured to automatically trust these companies to verify web servers. OS X contains a special keychain with all of these certificates in, and Safari uses that. Firefox doesn't use OS X's keychain, and instead has its own built-in list of trusted certificates.

So Safari/Firefox are probably configured to trust whichever company it was that signed your web server's certificate, and curl it seems has not been configured that way.

If you pretend to curl that you do trust the certificate (or don't want it to check) then you should get the info you desire. Just do what curl's error message said, and type:

curl -k -I https://....

I'm concerned that I'm taking up too much of everyone's time here -
but still very appreciative.

No problem.

Cheers,

Chris

.

Relevant Pages

  • Re: SBS 2008 - Need help asap with this issue - important
    ... www.fixmyrww.com for the activeX issues ... The Official SBS Blog: How Do I Distribute the SBS 2008 Self-Signed SSL ... Certificate to My Users?: ... That for the certificate bundle ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 - Need help asap with this issue - important
    ... I don't know what bundle you are referring to and also I used the wizards in sbs2008. ... Please advise why we cannot loggin RWW to our server and are receiving activeX issues, ... The Official SBS Blog: How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?: ...
    (microsoft.public.windows.server.sbs)
  • Re: Firefox 2.0.0.5 handling of binary files
    ... of Certificate Authority public keys. ... bundle is named curl-ca-bundle.crt; you can specify an alternate file ... Now the question is do *you* trust company B to verify company A? ... Firefox 2.0.0.4 also ...
    (comp.sys.mac.apps)
  • Re: SSL certificate needed?
    ... On Mon, 8 Mar 2004, Robert Hartung* wrote: ... > information from the clients. ... Certificate Authorities like Verisign confirm that you are really who you ... They can add your cert to their bundle at this time. ...
    (RedHat)
  • Re: Proposal for a new PKI model (At least I hope its new)
    ... That is say I trust Paul Rubin's public key. ... two basic reasons for the SSL server domain name certificate: ... certificates have to check with the domain name infrastructure to see ... CA/PKI industry is that public keys be registered with the domain name ...
    (sci.crypt)