linux - How can I verify on download that a site's SSL cert is for a host I trust?
2014-07
Parthian Shot
Generally
I want to be able to make an HTTPS connection to a site, and while negotiating the SSL check that:
The cert is in every way valid for the host listed on the cert (unexpired, signed by trusted CA), and
The cert is for a host I specify (i.e. I may be connecting via HTTPS to example1.com, but I just want to verify that the cert used by example1.com is valid for example4.com because I trust example4.com has not been compromised).
Specifically
There's a site affiliated with redhat which uses a cert valid for *.redhat.com, but which is not under the redhat.com domain. In every other way this cert is valid (i.e. it is issued by a trusted CA, it hasn't expired, and I am 99.99% sure it isn't stolen- although, if it were, that would mean redhat was compromised, so I'd have bigger problems), and I want to download an RPM module from this site, while (hopefully) guaranteeing I haven't been MITM'd.
So, I want to download something from the redhat-affiliated example.com while verifying that the site I'm connecting to is actually using a valid redhat cert.
Things I've already tried:
curl -- the closest curl has to this functionality is this option flag, which just disables all certificate authentication, which is not what I want, and
wget -- just has the argumentless --no-check-certificate option, which is equally unhelpful.
According to the libcurl documentation, I could use this, which looks promising, but mentions that it requires I have "... a non-trivial amount of knowledge of the openssl libraries", which I demonstrably don't possess. I can program in C or Python or whatever, although what would be most helpful is (in descending order of preference):
- a bash / sh solution using only command-line applications which usually ship with RHEL-based distros,
- or a solution using a commmon scripted language (Python, Perl, Ruby, etc.) with no library dependencies which require download,
- or a solution using a nonscripted language (C/C++, Java, Haskell, etc.) which again doesn't require any library downloads.
sippa
I want to know if it's possible to disable the warning you get in Chrome when you try to go to some HTTPS site that doesn't have a trusted certificate.
I have a few sites in my bookmarks that use HTTPS but none of them have trusted certificates, so each time I visit them I manually have to click "Proceed anyway" in the warning and it's getting kind of annoying.
Is there any way to disable the warning or somehow add these sites to some kind of safe list?
chills42
sippa,
When you use Chrome's Options > Manage Certificates > Import where are you placing the certificate? On the "Certificate Store" screen of the import, choose "Place all certificates in the following store" and browse for "Trusted Root Certification Authorities." Restart Chrome. This normally works for me.
orangechicken
For Chrome on OSX, here's a relatively easy way to add the self-signed certificate to the system's Keychain, which is used by Chrome: Google Chrome, Mac OS X and Self-Signed SSL Certificates. No more annoying red warning screen! (I do wish Chromium would simplify adding the exception though.)
lfaraone
Instructions for Linux (Chrome 12+):
Certificate Information -> Details -> Export
Save the certificate as a file of your choice.
Preferences -> Under the hood -> Manage certificates -> Authorities
Import the file and check all the boxes when it asks. You are done.
It is very important to import under the Authorities tab, and not other!
Fernando Meyer
On OsX you should export your certificate from firefox and import on keychain under the login profile.
caspian
In order for me to get this to work, I had to copy to file using the "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" option and check the "Include all certificates in the certification path if possible" box.
Then I imported using Cornelius' instructions and it worked.