Startssl.com, which provides free class 1 ssl certs, uses a very unique and simple authentication s开发者_Python百科ystem. During it's login process it redirects the client to https://auth.startssl.com/ and the browser asks for their unique certificate. After that stage is finished they are redirected to their control panel without any username/password authentication.
I wasn't even aware that HTTP(s) could do this type of authentication natively!
I've tried using curl to dissect this request but I can't get a value HTTPS request to go through.
X:~ ken$ curl https://auth.startssl.com/ --cert ./startssl-id.crt
curl: (58) unable to set private key file: './startssl-id.crt' type PEM
Does curl support this type of HTTPS connection and if so how would it be configured on both the server and client side?
You're using a client-side certificate. In order to watch the traffic, your user agent needs to support client side certificates. If you just want to watch the network traffic, you could look using your browser's network traffic log, but that won't include the cert negotiation.
curl does support client side certificates. You use them like this:
curl --cert mycert.pem https://secure.example.com
If you really want to get into the nitty gritty of the packet negotiation, your best bet is probably to use wireshark to dissect the packets.
The docs for configuring this in Apache are here:
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol
This page has a good how to on adding client cert authentication to any web app:
https://www.scriptjunkie.us/2013/11/adding-easy-ssl-client-authentication-to-any-webapp/
as for making client certs work with curl - you'll probably need to convert the certificate from pkcs12 format to a plain private key and certificate, using openssl i've done this:
openssl pkcs12 -CApath /etc/ssl/certs -in startcom.p12 -out start.pem -info -nodes
where startcom.p12 was exported from Firefox (I don't have a mac so can't test with Safari).
and then I can:
openssl s_client -connect auth.startssl.com:443 -CApath /etc/ssl/certs/ -cert /tmp/start.pem -key /tmp/start.key -prexit -debug -msg -state -servername auth.startssl.com -tlsextdebug
which connects, and:
wget --verbose --debug --ca-directory=/etc/ssl/certs/ --certificate=/tmp/start.pem --private-key=/tmp/start.key https://auth.startssl.com/
also works.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论