This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
stallwoodj
Collaborator
Collaborator
19 hours ago

curl_cli doesn't pick up CA bundle by default

 

Hi, 

I've noticed that all my R81.x firewalls don't seem to run curl_cli any more without an error. This also affects management servers as well as gateways, regardless of HTTPS inspection being deployed or not.

[Expert@FW-TH:0]# curl_cli -v https://www.checkpoint.com/
*   Trying 54.192.137.127...
* TCP_NODELAY set
* Connected to www.checkpoint.com (54.192.137.127) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* err is -1, detail is 1
* errdetail=0x1416f086
ERR_lib_error_string: SSL routines
 ERR_func_error_string: tls_process_server_certificate
 ERR_reason_error_string: certificate verify failed
 ERR_error_string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


[Expert@FW-TH:0]# grep -i Globalsign.*R3 $CPDIR/conf/ca-bundle.crt
GlobalSign Root CA - R3
 
 
 
If you force the CA bundle option, all is fine e.g.
curl_cli --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com/WebService/Monitor

 

Do we know when this GAiA issue will be addressed?

 

Thanks

Jamie

0 Kudos
3 Replies
the_rock
Legend
Legend
16 hours ago

Never noticed that Jamie, but you are 100% right. I also tested in the lab, cluster with ssl inspection and single fw without it, exact same output.

Andy

stallwoodj
Collaborator
Collaborator
14 hours ago
In response to the_rock

I'm convinced it used to work fine, but even R81.0 seems to have the issue. I've raised an SR but not made any headway... yet.

0 Kudos
the_rock
Legend
Legend
14 hours ago
In response to stallwoodj

Let us know what thay say. I tested R81.20 jumbo 70 (very latest) and R82 (no jumbo yet) anbd EXACT same issue. You can even mention that to them if you like or simply link this post to the ticket.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events