0
votes

For a starter I am trying to CURL an API hosted on a docker image. Here's the CURL output, isnt making sense to me.

curl -ik -v --tlsv1.0 --cacert cfmpem.pem --key key.pem https://localhost:13443/boot/api/cfm-menu-context/?page=2

Trying ::1...
TCP_NODELAY set
Connected to localhost (::1) port 13443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

successfully set certificate verify locations:
CAfile: cfm.wdf.sap.corp.pem
CApath: none

TLSv1.0 (OUT), TLS handshake, Client hello (1):
TLSv1.0 (IN), TLS handshake, Server hello (2):
TLSv1.0 (IN), TLS handshake, Certificate (11):
TLSv1.0 (IN), TLS handshake, Server key exchange (12):
TLSv1.0 (IN), TLS handshake, Request CERT (13):
TLSv1.0 (IN), TLS handshake, Server finished (14):
TLSv1.0 (OUT), TLS handshake, Certificate (11):
TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
TLSv1.0 (OUT), TLS change cipher, Client hello (1):
TLSv1.0 (OUT), TLS handshake, Finished (20):
TLSv1.0 (IN), TLS alert, Server hello (2):
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
stopped the pause stream!
Closing connection 0 curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

1
Is the server expecting a TLS 1.0 handshake? Is the server expecting a client certificate authentication?evilSnobu
I've forgotten a lot but can you be using sslv3 with H2? I don't think so.Rob
Define 'unsecured HTTPS'.user207421
@evilSnobu - yes The connection to this site uses TLS 1.0 (an obsolete protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).cc-

1 Answers

1
votes

Your command line of --cacert specifies the trust store to verify the server certificate. You also have a command line argument of --key. This is used to specify the key for a client certificate and should be used in connection with --cert to specify the client certificate. But, you don't have a --cert option so --key does not make sense.

TLSv1.0 (IN), TLS handshake, Request CERT (13):

This means that the server requests a certificate from the client, i.e. a "client certificate". To specify one you need to use the command line options --cert (which you don't use) and --key (which you have). Given the missing --cert option no client certificate is known to curl and thus no will be send to the server. This is likely the reason the server closes the connection with an error alert at the end of the handshake:

TLSv1.0 (IN), TLS alert, Server hello (2): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

To fix this problem provide the expected client certificate and key using the --cert and --key arguments.