LibCurl and PEM files
BlitzMax Forums/Brucey's Modules/LibCurl and PEM files
| ||
I was able to use LibCurl and a PEM file to successfully communicate with my server via SSL. However, the PEM file contains two keys I got from my server, and they don't look like they should be distributed to the public: -----BEGIN RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- How are you supposed to handle these? I don't think I am supposed to give away my "RSA PRIVATE KEY" to anyone who wants to use my program. |
| ||
No one knows? |
| ||
My PEM-files look this way:-----BEGIN CERTIFICATE----- 39 lines of linDSF3sAosaSDGS45sfsW4ghmflhalmfsfsdlf23tr7ghfhfamoycmyuca79d78as= -----END CERTIFICATE----- and multiple of these blocks for my certificate bundles (if you provide multiple certificates in one file). If you eg. are using StartSSL you surely did it this way: cat private/server.crt startssl/sub.class2.server.ca.pem > private/server_with_chain.pem alternatively you configured the last param in your apache config <IfModule mod_ssl.c> #all your host definitions ... <VirtualHost *:443> ServerAdmin bla@... ServerName yourdomain.com DocumentRoot /var/www/yourdomain.com/ BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/public.pem SSLCertificateKeyFile /etc/ssl/private/private.pem #SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem </VirtualHost> Also I do not get what libCurl has to do with your problem of an server exposing your private keys... that "-----BEGIN RSA PRIVATE KEY-----" should be in a file like "private.pem" (often "private.key") or so. Exposing your public key is like instant invalidating the whole SSL thing as others might use your private key to sign in your name... bye Ron |
| ||
Seems you were no longer interested in it (reading your reply to another thread in this subforum). Or was my post not really helpful for you? bye Ron |
| ||
The answer is to download the file here and use it: http://curl.haxx.se/ca/cacert.pem |
| ||
So you just included the "most common" certificates (I described above how I bundled the ones used by "startssl.com"). Reading the description again: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLCertificateFile I assume, that your server was wrongly configured: you might have wanted to use SSLCertificateFile file-path which would allow a combination of public and private key... but used another one (eg SSLCertificateChainFile file-path). So that thing got exposed somehow. Using the cacert.pem now of course needs to get supplemented by a private key file. bye Ron |