Hi,
I've noticed that all my R81.x firewalls don't seem to run curl_cli any more without an error. This also affects management servers as well as gateways, regardless of HTTPS inspection being deployed or not.
[Expert@FW-TH:0]# curl_cli -v https://www.checkpoint.com/
* Trying 54.192.137.127...
* TCP_NODELAY set
* Connected to www.checkpoint.com (54.192.137.127) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* err is -1, detail is 1
* errdetail=0x1416f086
ERR_lib_error_string: SSL routines
ERR_func_error_string: tls_process_server_certificate
ERR_reason_error_string: certificate verify failed
ERR_error_string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[Expert@FW-TH:0]# grep -i Globalsign.*R3 $CPDIR/conf/ca-bundle.crt
GlobalSign Root CA - R3
If you force the CA bundle option, all is fine e.g.
curl_cli --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com/WebService/Monitor
Do we know when this GAiA issue will be addressed?
Thanks
Jamie
