Using client certificates with wget

ssl-certificatewget

I cannot get wget to use the client certificates. The documentation speaks about using the –certificate flag.

The use of the certificate flag is clear, I set it to use the PEM version of the client certificate.

But when I connect I get the following error:

HTTP request sent, awaiting response... Read error (error:14094410:SSL routines:
SSL3_READ_BYTES:sslv3 alert handshake failure; error:140940E5:SSL routines:SSL3_
READ_BYTES:ssl handshake failure) in headers.
Giving up.

ssl handshake failure means the client did not supply a correct client cert. Still the client cert I use, works in a browser.

Note: When I disable client authentication on the server, wget can connect.
Note: The use of curl is suggested, but I'd like to avoid the switch.

Best Answer

I studied a week on this, finaly with the help I got from this page.

The command I used to connect is:

wget --ca-cert=/etc/ssl/certs/winhostname.pem --certificate=/etc/ssl/private/linuxhost.pem \
     --private-key=/etc/ssl/private/linuxhost.key https://winhostname.home.net:8443/winhosturl.asmx

Related Solutions

Ssl – error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure(35)

openssl s_client does a better job of explaining what's going on here since it gives whether it's receiving or sending these messages. api.paypal.com is requesting a specific client certificate (this is the * SSLv3, TLS handshake, Request CERT (13) line curl is printing) and you're sending the wrong (or no) certificate, so your connection fails:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
6016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
6016:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Googling for paypal api info, it appears that you'll need to request a client certificate for the API. They also have a username/password "signature" option, but this option uses a completely different server. If you have these, then configuring your cart software to use them is an issue to take up with the cart developer. If you are the developer and you have a certificate, see the --cert, --cert-type, --key, and --key-type flags to curl to configure the cert and private key curl uses.

AWS ELB – Installing Intermediate SSL Certificates

Use gd_bundle-g2.crt instead.

Thank you to my friends over at trusted advisor.

Quick Review

Ensure private key is in RSA format without a password.

openssl rsa -in private.key -text > private.pem
Your .crt file from godaddy is probably already in pem format.

openssl x509 -inform PEM -in blahblah.crt > public.pem
Download gd_bundle-g2.crt from https://certs.godaddy.com/anonymous/repository.pki

Field mappings (Dear amazon, this form is terrible.)

Private Key -> private.pem
Public Key Certificate -> public.pem
Certificate Chain -> gd_bundle-g2.crt

If your form looks like this, these instructions probably still apply. http://i.stack.imgur.com/yB918.png

Best Answer

Related Solutions

Ssl – error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure(35)

AWS ELB – Installing Intermediate SSL Certificates

Use gd_bundle-g2.crt instead.

Related Topic