This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

HTTP/TLS Package

Help for those learning Tcl or writing their own scripts.
w
w00f
Halfop
Posts: 49
Joined: Wed Oct 04, 2006 6:50 pm

Post by w00f »

Setting the debug value to 0/1 will output the following when executing the wget proc,

::tls::debug 0
TLS/sock7: error: certificate verify failed

::tls::debug 1
TLS/sock7: verify/3: Bad Cert: self signed certificate in certificate chain (rc = 0)

:\
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Well, there is something fishy there..
Unfortunately, I'm unable to connect to xpto.com:443 from here, so that makes it a little hard to have a closer look at the certificate chain :/
Could you run the following command from your shell, and post the output?

Code: Select all

openssl s_client -showcerts -connect xpto.com:443
And possibly also this one:

Code: Select all

openssl s_client -showcerts -connect xpto.com:443 -CApath /etc/ssl/certs
That should provide some clues to the self signed certificate...
(the openssl s_client opens a ssl-encrypted "telnet" session with the remote host, just hit ctrl+C to disconnect, or test writing a "GET / HTTP/1.0" http request and see what happens).
NML_375
w
w00f
Halfop
Posts: 49
Joined: Wed Oct 04, 2006 6:50 pm

Post by w00f »

Yea sure.

openssl s_client -showcerts -connect xpto.com:443 >> ssl
http://pastebin.com/scQq6ZTK

openssl s_client -showcerts -connect xpto.com:443 -CApath /etc/ssl/certs >> ssl2
http://pastebin.com/UkM7ps5V
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Well, that pretty much concludes that your issue with self-signed certificate is due to a missing CA (solved with the -CApath option). Did you try sending a http-request (and was it successful)?

Lets try a new set:

Code: Select all

http::register https 443 [list ::tls::socket -require 0 -request 1 -tls1 1 -command ::tls::callback -cadir /etc/ssl/certs]
set ::tls::debug 0
set ::tls::logcmd putlog
Now we've enabled TLSv1 (since your openssl s_client suggests that's what your server likes), as well as included the CA-directory, and using the builtin callback to log (and validate certs - should work as we've added the -cadir option).
NML_375
w
w00f
Halfop
Posts: 49
Joined: Wed Oct 04, 2006 6:50 pm

Post by w00f »

Thanks nml375, but it still returns eof =/
lol this is getting weirder
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Hmm... running very low in ideas then :/
NML_375
w
w00f
Halfop
Posts: 49
Joined: Wed Oct 04, 2006 6:50 pm

Post by w00f »

no problemo,
thanks for the effort :)
Post Reply