NewsForumsCodeLogsGallerySpecsSearch

LibCurl and PEM files

BlitzMax Forums/Brucey's Modules/LibCurl and PEM files

JoshK(Posted 2015) [#1]
I was able to use LibCurl and a PEM file to successfully communicate with my server via SSL. However, the PEM file contains two keys I got from my server, and they don't look like they should be distributed to the public:
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----

How are you supposed to handle these? I don't think I am supposed to give away my "RSA PRIVATE KEY" to anyone who wants to use my program.


JoshK(Posted 2015) [#2]
No one knows?


Derron(Posted 2015) [#3]
My PEM-files look this way:

-----BEGIN CERTIFICATE-----
39 lines of linDSF3sAosaSDGS45sfsW4ghmflhalmfsfsdlf23tr7ghfhfamoycmyuca79d78as=
-----END CERTIFICATE-----


and multiple of these blocks for my certificate bundles (if you provide multiple certificates in one file).
If you eg. are using StartSSL you surely did it this way:
cat private/server.crt startssl/sub.class2.server.ca.pem > private/server_with_chain.pem


alternatively you configured the last param in your apache config
<IfModule mod_ssl.c>
#all your host definitions ...

<VirtualHost *:443>
    ServerAdmin bla@...
    ServerName yourdomain.com
    DocumentRoot /var/www/yourdomain.com/


    BrowserMatch "MSIE [2-6]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    
    SSLEngine on

    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.

    SSLCertificateFile /etc/ssl/certs/public.pem
    SSLCertificateKeyFile /etc/ssl/private/private.pem
    #SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
</VirtualHost>



Also I do not get what libCurl has to do with your problem of an server exposing your private keys...

that "-----BEGIN RSA PRIVATE KEY-----" should be in a file like "private.pem" (often "private.key") or so.


Exposing your public key is like instant invalidating the whole SSL thing as others might use your private key to sign in your name...


bye
Ron


Derron(Posted 2015) [#4]
Seems you were no longer interested in it (reading your reply to another thread in this subforum).

Or was my post not really helpful for you?


bye
Ron


JoshK(Posted 2016) [#5]
The answer is to download the file here and use it:
http://curl.haxx.se/ca/cacert.pem


Derron(Posted 2016) [#6]
So you just included the "most common" certificates (I described above how I bundled the ones used by "startssl.com").


Reading the description again:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLCertificateFile

I assume, that your server was wrongly configured: you might have wanted to use SSLCertificateFile file-path which would allow a combination of public and private key... but used another one (eg SSLCertificateChainFile file-path). So that thing got exposed somehow.

Using the cacert.pem now of course needs to get supplemented by a private key file.


bye
Ron