I'm having trouble accessing https://api.owncloud.com using curl and wget: both complain about a self signed certificate in the chain, but openssl s_client says the connection is OK.
Other OSs, Debian and OS X, have no problem accessing the URL through curl. And I can access other HTTPS sites from FreeBSD with no problem, including the the site of the root certificate of the problem site (godaddy.com).
I am running FreeBSD 10-RELEASE and have installed security/ca_root_nss.
If anyone can shed some light on this and/or do some testing of their own, it would be much appreciated.
Other OSs, Debian and OS X, have no problem accessing the URL through curl. And I can access other HTTPS sites from FreeBSD with no problem, including the the site of the root certificate of the problem site (godaddy.com).
I am running FreeBSD 10-RELEASE and have installed security/ca_root_nss.
If anyone can shed some light on this and/or do some testing of their own, it would be much appreciated.
Code:
openssl s_client -connect api.owncloud.com:443 -CAfile /usr/local/share/certs/ca-root-nss.crt
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.opendesktop.org
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.opendesktop.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgIHTp8KeqEHMDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3Vy
ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDA5MTAwOTQzMzNaFw0x
NjA5MTAwOTQzMzNaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRl
ZDEaMBgGA1UEAwwRKi5vcGVuZGVza3RvcC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDLS+v3PiUbN94XwPnSVA9Q7XIWZpssq2Ifoo3Ib1iYnU6N
JAu39Hsz5aUbiA9f47ntAJxgPDNJax85ZApfAo6TonKjqJM1AzhTYJ2QpBuX+t6d
x12jxfA5DQNtNE3j3qtD46b/xQPJymF1ZV4RQ1ow4Sh5VSLN6slyu3VdZO2tOd2A
oQPJx1UDKTItpiHItcwC8jbLGxSydUvNUDIHxWRfZs1zPArR0s6xYEhI0XkUiR0d
lNlYFii0JUWN6btqLJQ+DaeIapreraNQQ4r4mv6/YDQdx2a5AvpRO4iug7aUFLrL
0AbFAIs4G/NdqMQr0/dQJQtQqmo9aqhCjH6hILSxAgMBAAGjggG1MIIBsTAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTg3LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYI
KwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
dG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5n
b2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29k
YWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47M
NIMwojPX+2yz8LQsgM4wLQYDVR0RBCYwJIIRKi5vcGVuZGVza3RvcC5vcmeCD29w
ZW5kZXNrdG9wLm9yZzAdBgNVHQ4EFgQUsWdNSAR9zEmooOb7DfTXyBZJnOwwDQYJ
KoZIhvcNAQELBQADggEBAGhvdaIB6V3YtMgD9VxLp84dCK5s5ZCQfiVt2f5vpZGk
gzuaWiihbsMKtLFmU8c2P76W9eLPk8sFeE28koKbUdh3QUzR3urixLN/I0MsXp0w
MCv+M9n5/28ldVZ6fsDtS75JW2icGJFpXtTvtxRpOMll6bb4VImX4WMmzmVhBCZd
56Liw0Pl8gqYX10DwpyUhpAICl24xf+X8JyllJVaiwjg4aM4fcu72CQjEhpa8OII
hTAaBaKTJEa7HzKYcuM3N+vj9RMToIKclvv3cXUpkodJck863PBHjjSEuUz9ryZv
8s9+FvD9tCf2OHXZhPeWmb6KcSK32ViEzLI6MQuwE1w=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.opendesktop.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5632 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 38876B8EEFEC1854ED6E11E4D6E0FFA440ED7D83D5D9071F61640DD1885996DA
Session-ID-ctx:
Master-Key: F98AA85C39F06ED58D088ABD8A383CFBB1F749C3D91D2ACDA310D03F2911B47CB235BF28FEC61AA1885A6E3B7CFD8886
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - a3 26 36 46 51 3c 01 cf-a1 d6 bf 0e 69 a6 9d cc .&6FQ<......i...
0010 - 94 4c 1d 7c 1a e5 fe be-f0 0d 2f df ed 7d 6d ae .L.|....../..}m.
0020 - 46 2d 31 8f ef cf f5 20-da f3 4e 9a 3e b4 ca ab F-1.... ..N.>...
0030 - e5 6a ee 09 7e b5 8c 80-4b 76 cc 8d 42 87 70 b6 .j..~...Kv..B.p.
0040 - f7 35 59 20 80 72 d4 4e-ca 5e 2d 7e 14 29 e3 96 .5Y .r.N.^-~.)..
0050 - 1a 3a 2b de c7 aa 55 37-26 45 a4 f8 d2 a9 e0 60 .:+...U7&E.....`
0060 - 4a 13 50 31 3e 23 5c 07-fa cf 71 4e ff bb ec 5c J.P1>#\...qN...\
0070 - 2f 0d c3 1d 16 07 52 5c-42 a9 05 11 be f1 7f 3c /.....R\B......<
0080 - 74 bc 79 50 09 f0 02 35-7f 21 75 19 10 90 f3 3e t.yP...5.!u....>
0090 - 17 0a a0 3d 5d 00 b5 89-dd ac d1 05 35 e2 76 81 ...=].......5.v.
00a0 - d7 42 db 09 01 51 18 b0-9c 51 8d 90 b5 1d f0 6b .B...Q...Q.....k
00b0 - 2b fa 71 a2 ae 3e fb e2-ea fb b5 12 56 e0 76 1e +.q..>......V.v.
Start Time: 1414705385
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Code:
curl -v https://api.owncloud.com
* Rebuilt URL to: https://api.owncloud.com/
* Hostname was NOT found in DNS cache
* Trying 188.138.118.86...
* Connected to api.owncloud.com (188.138.118.86) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.