Curl connection error

Search Guard
1

Hi,

I have installed search guard ssl (2.3.3.10) & search guard (2.3.3.0-beta3) and tried to connect the ES using curl.

I used the example script with slight changes to generate things for SSL communication…for example ‘admin’ instead of ‘kirk’

and created ‘ch.pem’ file

cat ./search-guard-ssl/example-pki-scripts/admin.crt.pem ./search-guard-ssl/example-pki-scripts/ca/chain-ca.pem > ./search-guard-ssl/example-pki-scripts/ch.pem

And this is the error message I have got:

[w3_es01@mydomain example-pki-scripts]$ pwd

/ … /search-guard-ssl/example-pki-scripts

[w3_es01@mydomain example-pki-scripts]$ curl -Sv --insecure -E ./ch.pem --key admin.key.pem --tlsv1.2 https://mydomain:9200/_searchguard/sslinfo?pretty

  • About to connect() to proxy myproxy.com port 3128 (#0)

  • Trying 10.x.xx.xxx… connected

  • Connected to myproxy.com (10.x.xx.xxx) port 3128 (#0)

  • Establish HTTP proxy tunnel to mydomain:9200

CONNECT mydomain:9200 HTTP/1.1

Host: mydomain:9200

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Proxy-Connection: Keep-Alive

< HTTP/1.0 200 Connection established

<

  • Proxy replied OK to CONNECT request

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • warning: ignoring value of ssl.verifyhost

  • NSS error -8054

  • Closing connection #0

  • SSL connect error

curl: (35) SSL connect error

Please can you help me?

Thank you in advance!

Youngmi.

2

Pls update to SG rc1 and to SG SSL 2.3.3.11. They contain importanet SSL fixes, especially for client authentication.
If the expection occurs also with RC1 and SG SSL 2.3.3.11 pls. report back and include also the logfiles from elasticsearch on DEBUG level and you elasticsearch.yml as well as sg_config.yml.

BTW: Your curl version is very old, consider updating curl.

···

Am 13.06.2016 um 12:27 schrieb Young Mi Park <ym.park@gmail.com>:

Hi,

I have installed search guard ssl (2.3.3.10) & search guard (2.3.3.0-beta3) and tried to connect the ES using curl.

I used the example script with slight changes to generate things for SSL communication..for example 'admin' instead of 'kirk'

and created 'ch.pem' file
cat ./search-guard-ssl/example-pki-scripts/admin.crt.pem ./search-guard-ssl/example-pki-scripts/ca/chain-ca.pem > ./search-guard-ssl/example-pki-scripts/ch.pem

And this is the error message I have got:

[w3_es01@mydomain example-pki-scripts]$ pwd
/ ... /search-guard-ssl/example-pki-scripts
[w3_es01@mydomain example-pki-scripts]$ curl -Sv --insecure -E ./ch.pem --key admin.key.pem --tlsv1.2 https://mydomain:9200/_searchguard/sslinfo?pretty
* About to connect() to proxy myproxy.com port 3128 (#0)
* Trying 10.x.xx.xxx... connected
* Connected to myproxy.com (10.x.xx.xxx) port 3128 (#0)
* Establish HTTP proxy tunnel to mydomain:9200
> CONNECT mydomain:9200 HTTP/1.1
> Host: mydomain:9200
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -8054
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Please can you help me?

Thank you in advance!

Youngmi.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f5ff63bc-634b-4a86-9f77-593bf707a994%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.