curl with HTTPS

Question

i am running a curl command from the F5 for a HTTPS asmx page on one of my servers.. 
curl https://example.apples.com/aaaa/bbb/cccc.asmx
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

When running it with the -k option, the XML from the asmx page comes out fine.. 
how do i fine tune my HTTPS health monitor to reflect this??
Current health monitor - 
GET /aaaa/bbb/cccc.asmx HTTP/1.1
Host: example.apples.com
Connection: Close

amy_123193 · Answer

Much like the default serverssl profile behavior, HTTPS monitors do not validate server certificates. It should be possible to do so with an external monitor.&nbsp;

awilhelm · Answer

Much like the default serverssl profile behavior, HTTPS monitors do not validate server certificates. It should be possible to do so with an external monitor.&nbsp;

kevin_stewart · Answer

The cURL command, as you know, performs the client side of an HTTPS SSL handshake as appropriate. In any SSL handshake, the server sends its certificate to the client and the client must then "accept" that certificate as valid and trusted. The -k option simply tells cURL to ignore validity and trust checks. In lieu of that you'd need to provide a way for cURL to validate (and trust) the server's certificate, usually by way of a CA certificate or certificate bundle using the -cacert option.&nbsp;
As the HTTPS monitor doesn't have an option to specify a CA certificate (or bundle), depending on version I believe, it should imply the same -k option and ignore server certificate validity checks.&nbsp;
Are you not seeing this behavior?&nbsp;

kevin_stewart · Answer

i would have assumed that in the HTTPS monitor but it doesnt seem to work that way... i am wondering if the cipher lists in the monitor dont match with whats on the cert.. the cert is set for AES_128_GCM and DHE_RSA.. the default monitor has - DEFAULT:+SHA:+3DES:+kEDH according to this - https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html - i should be able to update the ciphers..&nbsp;

You're actually talking about the SSL ciphers used in the handshake, not the parameters of the server's certificate. It is entirely likely that the default cipher suite in the HTTPS monitor is inadequate for the server. Do you know if the server requires a specific cipher suite? Did you have to do anything special in the cURL command to allow the SSL handshake to happen?&nbsp;
You'll probably want to spin up an ssldump at this point to see where the problem is. If it is indeed a cipher issue, you'll see that in the handshake with the ssldump capture.&nbsp;

nemmank · Answer

basic curl when https connection is hosted on a non-standard https port. &nbsp;
curl -kv --cert /config/ssl/ssl.crt/cert.crt --key /config/ssl/ssl.key/key.key &nbsp;

Forum Discussion

curl with HTTPS

8 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

HTTP Monitor cURL Basic GET

HTTP Monitor cURL Basic POST

Patch Tuesday, cURL, passkey - October 8th - 14th, 2023 - F5 SIRT - This Week in Security

HTTP Monitor cURL GET With Host Specific Headers

HTTP Monitor cURL Probe Timeout