Develop Reference

Need to by pass Location while running curl command

While running the curl command using both (credentials & without) I always get location output which is correct & due to this I get
HTTP/1.1 302 Found this output but in reality application is down.
any idea/help how to by pass or check the correct output.
[root#VDCLP3213 ~]# curl -Ik http://grid-net.gs.ec.ge.com/GestionHeures --user (username:Password)
HTTP/1.1 302 Found
Date: Tue, 23 Jan 2018 10:14:52 GMT
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: https://fss.gecompany.com/fss/idp/SSO.saml2?SAMLRequest=fZHBbsIwEER%2FJfI9cRJCQRaJlMKhSLSghvbQS%2BU4S7Dk2KnXKeXva6BV6YWrPfN2ZneGvFM9Kwe318%2FwMQC64KtTGtn5IyeD1cxwlMg07wCZE6wqH1csjWLWW%2BOMMIoEJSJYJ42eG41DB7YC%2BykFvDyvcrJ3rkdGaWtlE2pwUYsRiKiFSJiOVntZ10aB20eIhp7gKd2sqy0JFj6N1PzE%2FaPsEL3VO3uuj2eCf6Gy6WlVraNT6pQEy0VO3rPxpG5EPJnuGj6eTtLdiIsk4TGI%2BI5Ps8zLEAdYanRcu5ykcTIN4yRMR9skZknGxukbCTY%2FJe%2BlbqRub2%2BkvoiQPWy3m%2FDS4hUsnht4ASlmp4TsPNhebfo2lv%2BulxQthl4fHkD56hD2xjouVdjbZkav0Jc5PXvyrOViY5QUx6BUyhzmFriDnCSEFhfL%2F%2FMX3w%3D%3D&RelayState=ss%3Amem%3A7871d5ec2f67dc36f0c796d589df7cc5f38664a8a79eb7daa3d8f80059eb8259
Connection: close
Content-Type: text/html; charset=iso-8859-1
Please help

Use the -L or --location option to follow redirects.
Note that this will still show the headers for all the intermediate sites, you'll need to parse out the last HTTP/1.1 line and its following headers to get the headers from the final target.
$ curl -s -I -L online.bridgebase.com/purchase/pay.php
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Tue, 23 Jan 2018 11:04:23 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: https://www.bridgebase.com/purchase/pay.php
Set-Cookie: SRV=www2.dal06.sl; path=/; domain=.bridgebase.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 23 Jan 2018 11:04:23 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.45-0+deb7u11
Set-Cookie: PHPSESSID=og3dirjhdi4lhtm17iav8kgm67; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: SRV=www1.dal09.sl; path=/; domain=.bridgebase.com
imac:barmar $ curl --version
curl 7.54.0 (x86_64-apple-darwin14.5.0) libcurl/7.54.0 OpenSSL/1.0.2k zlib/1.2.5 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

openssl self signed certificate node.js

I have installed openSSl with cygwin and generated self singed certifikate like this
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out csr.pem
openssl x509 -req -in csr.pem -signkey server.key -out cert.pem
i tried to test if i was succesfull so i created a basic tls connection with node
var tls=require("tls");
var fs=require("fs");
var serverOptions={
key:fs.readFileSync('C:/cygwin64/home/Matej/csr.pem'),
cert:fs.readFileSync('C:/cygwin64/home/Matej/cert.pem')
}
var server=tls.createServer(serverOptions);
server.listen(4001)
but it threw error
c.context.setKey(options.key);
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
i quite dont understand what does the erron mean. Did i generated the key/certifikate wrong?
I tried looking here but my pem files does not contain ^M .My cert looks like
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
and csr
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----

Logstash and logstash-forwarder ssl error

I have 2 servers:
logstash server
app server
If I run a logstash-forwarder on a logstash server - it's ok.
But if I run logstash-forwarder on app server i get an error:
Failed to tls handshake with <ip> x509: certificate has expired or is not yet valid
And when I check the certificate by command:
openssl x509 -in logstash-forwarder.crt -noout -text
I take a valid certificate:
...
Validity
Not Before: Jun 28 17:33:36 2015 GMT
Not After : Jun 27 17:33:36 2016 GMT
...
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:<ip>
Date on app serve:
root#app:/etc/pki/logstash# date
Sun Jun 28 20:53:30 MSK 2015
What's wrong?

I faced the similar kind of issue and fixed it. Looks like you didn't have any DNS set for you logstash index server. In this case you have to set SAN to openssl.cnf and regenerate the cert along with key.
How to set SAN?
sudo vi /etc/pki/tls/openssl.cnf
Find the [ v3_ca ] section in the file, and add this line under it (substituting in the Logstash Index Server's IP address):
subjectAltName = IP: logstash__index_server_private_ip
After that try regenerating your cert and key
cd /etc/pki/tls
sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
And change your config file to point the cert and key from both end(index and forwarder) accordingly. Hope this will workout for you.

Openssl shows a different server certificate while browser shows correctly

I am using openssl s_client -showcerts -connect test.abc.com:443 -state -debug to check the server certificate. The server is using nginx. But when i request the above openssl shows the server certificate as *.xyz.com. I want to know where openssl is getting this as the server certificate. OS is Linux. checked in /etc/pki/tls but the certificate which openssl reads as the server certificate is not there. And the nginx config points to the correct certificate for abc.com. Also if I access using the browser the correct cert is shown. This happens only with openssl. :(

there is a SNI issue with openssl, try using this command:
openssl s_client -showcerts -connect www.example.com:443 -servername www.example.com </dev/null
The addition of -servername according to this article should clear it up.

The server is issuing a permanent redirect to ethornetworks.com. To see it, first issue your s_client command:
$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect apitest.ethormapp.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN - DATACorp SGC
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ethornetworks.com
verify return:1
...
At the very bottom, after you get the verify result, enter a GET / HTTP/1.0 command and press RETURN twice:
...
Start Time: 1390985154
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET / HTTP/1.0
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.4
Date: Wed, 29 Jan 2014 08:46:01 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: https://www.ethornetworks.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.4.4</center>
</body>
</html>
closed
$
If you follow the redirect, then you will get the expected result:
$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect www.ethornetworks.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.ethornetworks.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
...
Finally, you can use the AddTrust External CA Root to ensure the chain verifies as expected. Without it and the -CAfile option, s_client will report 19 (self signed certificate in certificate chain).

curl openssl can't verify IIS 7 self-signed cert even when added to curl-ca-bundle.crt

I used IIS 7 on Windows Server Enterprise 2008 to generate a self-signed cert for use with IIS (basically one-click button).
However, even when I export and add this cert to a windows client's curl-ca-bundle.crt, neither it nor openssl.exe will not verify the cert correctly:
openssl s_client -CAfile curl-ca-bundle.crt -showcerts -connect myserver.ad.pri:443
CONNECTED(00000003)
depth=0 /CN=myserver.ad.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=myserver.ad.pri
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=myserver.ad.pri
i:/CN=myserver.ad.pri
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIQTi9gdBLdo6pJ1h4Zljr/wzANBgkqhkiG9w0BAQUFADAp
....
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=myserver.ad.pri
issuer=/CN=myserver.ad.pri
---
No client certificate CA names sent
---
SSL handshake has read 924 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Start Time: 1377728216
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=104
I used IE to export the cert to Base-64 Encoded, which is openssl-readable as PEM:
openssl x509 -inform PEM -in myserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:2f:60:74:12:dd:a3:aa:49:d6:1e:19:96:3a:ff:c3
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=myserver.ad.pri
Validity
Not Before: Aug 26 15:38:46 2013 GMT
Not After : Aug 26 00:00:00 2014 GMT
Subject: CN=myserver.ad.pri
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha1WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
....
openssl/curl with the same curl-ca-bundle.crt will verify certs from google.com:443 etc. just fine.

I also ran into this (and I'm very surprised more people haven't.) when I couldn't get a NodeJS HTTP(s) client to connect to an IIS instance with a self-signed-certificate on it (one created through IIS manager) Just got the dreaded' unable to verify the first certificate error!
It seems that this is because the certificates that IISManager creates for this purpose specify some 'Key Usage' extensions; 'Key Encipherment' and 'Data Encipherment'.
It turns out that when openssl encounters a certificate that specifies 'Key Usage' but fails to specify the 'certSign' usage then the openssl code will discount that certificate as a possible CA certificate even if it has been correctly provided to the openssl code (meaning it is unable to verify the certificate against said absent CA!).
(See the logic here https://github.com/openssl/openssl/blob/6f0ac0e2f27d9240516edb9a23b7863e7ad02898/crypto/x509v3/v3_purp.c#L503 )
The solution is as the one already above, which is to create your own certificates with the correct key usages (or no key usage extensions!)
I also thought I should include an alternative way of creating the Self Signed certificate that openssl clients would be happy with if you're in windows land.
First download the powershell script from here
In a powershell console (Administrative) execute the following commands from within a folder that contains the downloaded scripts
New-SelfsignedCertificateEx -StoreLocation "LocalMachine" -KeyUsage "DigitalSignature,KeyEncipherment,KeyCertSign" -Subject "CN=<HOST_NAME_TO_USE>" -FriendlyName "<HOST_NAME_TO_USE>" -SignatureAlgorithm sha256 -SubjectAlternativeName "<HOST_NAME_TO_USE>","anotherhost.org","someotherdomain.com"
Once you've executed the above command your LocalMachine\Personal Certificates store will contain a self-signed certificate that can be used by IIS for its SSL communications. (Please note you may also need to copy this certificate into one of the Trusted Root stores as well to guarantee that the certificate is trusted on that machine)

I solved this by using openssl to create a self-signed CA cert, then created a server cert request (also in OpenSSL, for some reason openssl does not like to sign requests generated by IIS), signed it with the former CA cert, then exported to PKCS12. Then imported into IIS. Once the CA cert is added to curl-ca-bundle.crt, it will verify the chain correctly:
Generate a CA:
openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf \
-newkey rsa:2048
Generate a server key and signing request:
openssl req -new -nodes -out server-csr.pem -keyout server-key.pem -newkey rsa:2048
Sign the request with the CA:
openssl ca -config /etc/ssl/openssl.cnf -cert cacert.pem -keyfile cakey.pem \
-out server-cert.pem -in server-csr.pem
Export the server cert to PKCS#12:
openssl pkcs12 -export -out server-key-cert.pfx \
-inkey server-key.pem -in server-cert.pem -certfile cacert.pem
Import server-key-cert.pfx into IIS. (Re)bind the site binding's SSL binding to the cert.
Append cacert.pem to clients' curl-ca-bundle.crt. openssl s_client -showcerts -CAfile curl-ca-bundle.crt -connect server:443 has depth 0 and 1 and will verify return.
Notes: Make sure that keyUsage = nonRepudiation, digitalSignature, keyEncipherment is enabled under section [usr_cert] in openssl.cnf else requests won't contain those keyUsage and IIS will complain on binding.