Loading ...
Sorry, an error occurred while loading the content.
 

RE: [ARRL-LOTW] TQSL 2.0-RC7 Kit available for testing

Expand Messages
  • Phil Cooper
    Rick and the group, I run the DXLab suite of programs, and I had cause to reboot the shack PC tonight, which caused a prompt telling me there was an update to
    Message 1 of 28 , Oct 9, 2013
      Rick and the group,

      I run the DXLab suite of programs, and I had cause to reboot the shack PC
      tonight, which caused a prompt telling me there was an update to TQSL.
      I followed the on-screen prompts, but got a failure notice, telling me there
      was no file present.

      I am not quite sure whether the file that wasn't present was missing from
      the destination download folder, or from my hard drive.
      There was no clue as to what file name, on that THE file was missing.

      As yet, I have not tried manually downloading the file, as I thought might
      need further investigation.

      Any ideas as to what may have gone wrong?

      If needed, I can try and restart DXKeeper, and perhaps make a screen grab of
      the box that came up, if that would help?

      73 de Phil GU0SUP
    • Dave AA6YQ
      ... From: ARRL-LOTW@yahoogroups.com [mailto:ARRL-LOTW@yahoogroups.com] On Behalf Of Phil Cooper Sent: Wednesday, October 09, 2013 5:21 PM To:
      Message 2 of 28 , Oct 9, 2013
        >>>AA6YQ comments below

        From: ARRL-LOTW@yahoogroups.com [mailto:ARRL-LOTW@yahoogroups.com] On Behalf Of Phil Cooper
        Sent: Wednesday, October 09, 2013 5:21 PM
        To: ARRL-LOTW@yahoogroups.com
        Subject: RE: [ARRL-LOTW] TQSL 2.0-RC7 Kit available for testing

         
        Rick and the group,

        I run the DXLab suite of programs, and I had cause to reboot the shack PC tonight, which caused a prompt telling me there was an
        update to TQSL.

        >>>When you started DXKeeper, it directed TQSL to check for “anything new”. TQSL reported that a new version (2.5) of LotW’s
        Configuration Data is available; DXKeeper then alerted you by displaying this information.

        I followed the on-screen prompts, but got a failure notice, telling me there was no file present.

        I am not quite sure whether the file that wasn't present was missing from the destination download folder, or from my hard drive.
        There was no clue as to what file name, on that THE file was missing.

        As yet, I have not tried manually downloading the file, as I thought might need further investigation.

        Any ideas as to what may have gone wrong?

        >>>Please do the following, Phil:

        1. start TQSL

        2. if TQSL informs you that a new version of the Configuration file is available, decline to obtain it

        3. open TQSL's File menu and select "Diagnostic Mode"; you will be prompted to specify the location of a log file that TQSL will
        generate (by default, the name of this file will be tqsldiag.log)

        4. open the Help menu's "Check for Updates" command; if you are prompted to upgrade the Configuration file, accept the offer

        5. after the upgrade succeeds or fails, attach the log file created in step 3 to an email message, and send it to me via

        aa6yq (at) ambersoft.com

        >>>Thanks!

        73,

        Dave, AA6YQ
      • Rick Murphy
        ... That s good news. ... No need to apologize. Apparently it may be fixed. If you see it again, using diagnostic mode can help to find the cause. Thanks for
        Message 3 of 28 , Oct 9, 2013
          On Wed, Oct 9, 2013 at 4:34 PM, N4DW - Dave <n4dw@...> wrote:

           

          So, I do not see the same result with –rc7 as I did with –rc5.


          That's good news.
           

          Sorry for a bogus alert.


          No need to apologize. Apparently it may be fixed. If you see it again, using diagnostic mode can help to find the cause.
          Thanks for giving it a try!
          73,
              -Rick

        • pcooper
          Dave (AA6YQ), I will try this as soon as I get home form work later today. Just out of curiosity, would I need to close DXKeeper before proceeding with step 1
          Message 4 of 28 , Oct 10, 2013
            Dave (AA6YQ),

            I will try this as soon as I get home form work later today.

            Just out of curiosity, would I need to close DXKeeper before proceeding with step 1 in your instructions?

            73 de Phil GU0SUP
          • David Birnbaum
            I just build tqsl-rc7 on my Ubuntu 13.04 32 bt system. Build was successful. Tried to load, sign and upload a log file. Got all okay until the upload phase.
            Message 5 of 28 , Oct 10, 2013
              I just build tqsl-rc7 on my Ubuntu 13.04 32 bt system.  Build was successful.  Tried to load, sign and upload a log file.  Got all okay until the upload phase.  Following are the messages in the status window:

              Signing using Callsign K2LYV, DXCC Entity UNITED STATES OF AMERICA
              /home/drdave/test-install/wsjtx_log.adi: 3 QSO records were duplicates
              Attempting to upload 5 QSOs
              /home/drdave/test-install/wsjtx_log.adi: Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain)
              Attempting to upload 5 QSOs
              /home/drdave/test-install/wsjtx_log.adi: Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain)
              Attempting to upload 5 QSOs
              /home/drdave/test-install/wsjtx_log.adi: Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain)
              Attempting to upload 5 QSOs
              /home/drdave/test-install/wsjtx_log.adi: Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain)


              Perhaps problem is with my installation of CURL?

              db
              k2lyv

              P.S. This same log file uploaded without probloem with tqsl4  let me know if you want we to turn on any debug flags or anything else.


            • David Birnbaum
              Here s an attempt to upload the same file as my last message with tqsl in diagnostic mode. I m attaching the diagnostic file. Sorry I missed this last time
              Message 6 of 28 , Oct 10, 2013
              Here's an attempt to upload the same file as my last message with tqsl in diagnostic mode.  I'm attaching the diagnostic file.

              Sorry I missed this last time

              k2lyv
            • Rick Murphy
              Here s what happens based on the log. Uninteresting stuff deleted. * About to connect() to lotw.arrl.org port 443 (#5) * Trying 12.178.70.18... * Connected
              Message 7 of 28 , Oct 10, 2013
                Here's what happens based on the log. Uninteresting stuff deleted.

                * About to connect() to lotw.arrl.org port 443 (#5)
                *   Trying 12.178.70.18...
                * Connected to lotw.arrl.org (12.178.70.18) port 443 (#5)
                * SSL certificate problem: self signed certificate in certificate chain

                That's a very interesting error. There is no "self signed" certificate in the chain for the lotw.arrl.org site.

                Go Daddy Secure Certification Authority signs the arrl.org certificate.
                Go Daddy Class 2 Certification Authority is a trusted root that signs the Go Daddy Secure Certification Authority certificate.

                Is this repeatable?  i.e. are you always seeing the following error when you try to upload?
                "Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain)" 

                How are you connected to the Internet? It appears that something is playing a Man-in-the-middle attack against your system. This could be a "legitimate" corporate traffic redirection, or could be malware.
                73,
                    -Rick



                On Thu, Oct 10, 2013 at 1:03 PM, David Birnbaum <dbirnbau@...> wrote:
                 
                [Attachment(s) from David Birnbaum included below]

                Here's an attempt to upload the same file as my last message with tqsl in diagnostic mode.  I'm attaching the diagnostic file.

                Sorry I missed this last time

                k2lyv




                --
                Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
              • Dave AA6YQ
                It’s not necessary to terminated DXKeeper while working with TQSL. 73, Dave, AA6YQ From: ARRL-LOTW@yahoogroups.com [mailto:ARRL-LOTW@yahoogroups.com] On
                Message 8 of 28 , Oct 10, 2013
                  It’s not necessary to terminated DXKeeper while working with TQSL.

                  73,

                  Dave, AA6YQ

                  From: ARRL-LOTW@yahoogroups.com [mailto:ARRL-LOTW@yahoogroups.com] On Behalf Of pcooper
                  Sent: Thursday, October 10, 2013 5:06 AM
                  To: ARRL-LOTW@yahoogroups.com
                  Subject: [ARRL-LOTW] RE: TQSL 2.0-RC7 Kit available for testing


                  Dave (AA6YQ),

                  I will try this as soon as I get home form work later today.

                  Just out of curiosity, would I need to close DXKeeper before proceeding with step 1 in your instructions?

                  73 de Phil GU0SUP

                  ________________________________________
                  No virus found in this message.
                  Checked by AVG - www.avg.com
                  Version: 10.0.1432 / Virus Database: 3222/6237 - Release Date: 10/09/13
                • Rick Murphy
                  ... /home/drdave/test-install/wsjtx_log.adi: Couldn t upload the file: CURL ... I see that the problem is repeatable. Yes, this is a defect in libcURL
                  Message 9 of 28 , Oct 10, 2013
                    On Thu, Oct 10, 2013 at 12:58 PM, David Birnbaum <dbirnbau@...> wrote:
                     

                    I just build tqsl-rc7 on my Ubuntu 13.04 32 bt system.  Build was successful.  Tried to load, sign and upload a log file.  Got all okay until the upload phase.  Following are the messages in the status window:

                    Signing using Callsign K2LYV, DXCC Entity UNITED STATES OF AMERICA
                    /home/drdave/test-install/wsjtx_log.adi: 3 QSO records were duplicates
                    Attempting to upload 5 QSOs 
                    /home/drdave/test-install/wsjtx_log.adi: Couldn't upload the file: CURL returned "Peer certificate cannot be authenticated with given CA certificates" (SSL certificate problem: self signed certificate in certificate chain) 
                    ....
                    Perhaps problem is with my installation of CURL?

                    I see that the problem is repeatable. Yes, this is a defect in libcURL introduced with 7.32.0


                    libcURL 7.31.0 seems stable with TQSL for me on Windows and MacOS. On Linux (fedora), I'm using 7.27.
                    73,
                        -Rick
                  • David Birnbaum
                    Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it s Verizon to Internet to ARRL. Note that same file
                    Message 10 of 28 , Oct 10, 2013
                      Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem.  After that it's Verizon to Internet to ARRL.

                      Note that same file and same certificate with task 1.14 goes fine.

                      ,k2lyv
                    • iain macdonnell - N6ML
                      What does curl https://lotw.arrl.org/ say ? ~iain / N6ML
                      Message 11 of 28 , Oct 10, 2013
                        What does 'curl https://lotw.arrl.org/' say ?

                        ~iain / N6ML


                        On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                        >
                        >
                        >
                        > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                        >
                        >
                        > Note that same file and same certificate with task 1.14 goes fine.
                        >
                        > ,k2lyv
                        >
                        >
                      • David Birnbaum
                        curl -v https://lotw.arrl.org/ * About to connect() to lotw.arrl.org port 443 (#0) * Trying 12.178.70.18... * Adding handle: conn: 0x8b19c50 * Adding handle:
                        Message 12 of 28 , Oct 10, 2013
                          * About to connect() to lotw.arrl.org port 443 (#0)
                          *   Trying 12.178.70.18...
                          * Adding handle: conn: 0x8b19c50
                          * Adding handle: send: 0
                          * Adding handle: recv: 0
                          * Curl_addHandleToPipeline: length: 1
                          * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                          * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                          * SSLv3, TLS handshake, Client hello (1):
                          * SSLv3, TLS handshake, Server hello (2):
                          * SSLv3, TLS handshake, CERT (11):
                          * SSLv3, TLS alert, Server hello (2):
                          * SSL certificate problem: self signed certificate in certificate chain
                          * Closing connection 0
                          curl: (60) SSL certificate problem: self signed certificate in certificate chain

                          curl performs SSL certificate verification by default, using a "bundle"
                           of Certificate Authority (CA) public keys (CA certs). If the default
                           bundle file isn't adequate, you can specify an alternate file
                           using the --cacert option.
                          If this HTTPS server uses a certificate signed by a CA represented in
                           the bundle, the certificate verification probably failed due to a
                           problem with the certificate (it might be expired, or the name might
                           not match the domain name in the URL).
                          If you'd like to turn off curl's verification of the certificate, use
                           the -k (or --insecure) option.



                          On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                          What does 'curl https://lotw.arrl.org/' say ?

                              ~iain / N6ML


                          On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                          >
                          >
                          >
                          > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem.  After that it's Verizon to Internet to ARRL.
                          >
                          >
                          > Note that same file and same certificate with task 1.14 goes fine.
                          >
                          > ,k2lyv
                          >
                          >


                          ------------------------------------

                          Yahoo! Groups Links

                          <*> To visit your group on the web, go to:
                              http://groups.yahoo.com/group/ARRL-LOTW/

                          <*> Your email settings:
                              Individual Email | Traditional

                          <*> To change settings online go to:
                              http://groups.yahoo.com/group/ARRL-LOTW/join
                              (Yahoo! ID required)

                          <*> To change settings via email:
                              ARRL-LOTW-digest@yahoogroups.com
                              ARRL-LOTW-fullfeatured@yahoogroups.com

                          <*> To unsubscribe from this group, send an email to:
                              ARRL-LOTW-unsubscribe@yahoogroups.com

                          <*> Your use of Yahoo! Groups is subject to:
                              http://info.yahoo.com/legal/us/yahoo/utos/terms/


                        • iain macdonnell - N6ML
                          Yeah, so that pretty much proves that something funny is going without tQSL s control. How about openssl s_client -connect lotw.arrl.org:443 ? ~iain / N6ML
                          Message 13 of 28 , Oct 10, 2013
                            Yeah, so that pretty much proves that something funny is going without
                            tQSL's control.

                            How about 'openssl s_client -connect lotw.arrl.org:443' ?

                            ~iain / N6ML



                            On Thu, Oct 10, 2013 at 12:17 PM, David Birnbaum <dbirnbau@...> wrote:
                            >
                            >
                            >
                            > curl -v https://lotw.arrl.org/
                            > * About to connect() to lotw.arrl.org port 443 (#0)
                            > * Trying 12.178.70.18...
                            > * Adding handle: conn: 0x8b19c50
                            > * Adding handle: send: 0
                            > * Adding handle: recv: 0
                            > * Curl_addHandleToPipeline: length: 1
                            > * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                            > * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                            > * SSLv3, TLS handshake, Client hello (1):
                            > * SSLv3, TLS handshake, Server hello (2):
                            > * SSLv3, TLS handshake, CERT (11):
                            > * SSLv3, TLS alert, Server hello (2):
                            > * SSL certificate problem: self signed certificate in certificate chain
                            > * Closing connection 0
                            > curl: (60) SSL certificate problem: self signed certificate in certificate chain
                            > More details here: http://curl.haxx.se/docs/sslcerts.html
                            >
                            > curl performs SSL certificate verification by default, using a "bundle"
                            > of Certificate Authority (CA) public keys (CA certs). If the default
                            > bundle file isn't adequate, you can specify an alternate file
                            > using the --cacert option.
                            > If this HTTPS server uses a certificate signed by a CA represented in
                            > the bundle, the certificate verification probably failed due to a
                            > problem with the certificate (it might be expired, or the name might
                            > not match the domain name in the URL).
                            > If you'd like to turn off curl's verification of the certificate, use
                            > the -k (or --insecure) option.
                            >
                            >
                            >
                            > On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                            >>
                            >> What does 'curl https://lotw.arrl.org/' say ?
                            >>
                            >> ~iain / N6ML
                            >>
                            >>
                            >> On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                            >> >
                            >> >
                            >> >
                            >> > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                            >> >
                            >> >
                            >> > Note that same file and same certificate with task 1.14 goes fine.
                            >> >
                            >> > ,k2lyv
                            >> >
                            >> >
                            >>
                            >>
                            >> ------------------------------------
                            >>
                            >> Yahoo! Groups Links
                            >>
                            >>
                            >>
                            >
                            >
                          • Rick Murphy
                            When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled. Apparently, the defect I mentioned earlier breaks libcURL, as well as
                            Message 14 of 28 , Oct 10, 2013
                              When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled.
                              Apparently, the defect I mentioned earlier breaks libcURL, as well as the curl command.
                              Try 

                              It will (incorrectly) say the same thing.   In other words, this isn't anything wrong with TQSL or LoTW.
                              73,
                                  -Rick


                              On Thu, Oct 10, 2013 at 3:17 PM, David Birnbaum <dbirnbau@...> wrote:
                               

                              * About to connect() to lotw.arrl.org port 443 (#0)
                              *   Trying 12.178.70.18...
                              * Adding handle: conn: 0x8b19c50
                              * Adding handle: send: 0
                              * Adding handle: recv: 0
                              * Curl_addHandleToPipeline: length: 1
                              * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                              * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                              * SSLv3, TLS handshake, Client hello (1):
                              * SSLv3, TLS handshake, Server hello (2):
                              * SSLv3, TLS handshake, CERT (11):
                              * SSLv3, TLS alert, Server hello (2):
                              * SSL certificate problem: self signed certificate in certificate chain
                              * Closing connection 0
                              curl: (60) SSL certificate problem: self signed certificate in certificate chain

                              curl performs SSL certificate verification by default, using a "bundle"
                               of Certificate Authority (CA) public keys (CA certs). If the default
                               bundle file isn't adequate, you can specify an alternate file
                               using the --cacert option.
                              If this HTTPS server uses a certificate signed by a CA represented in
                               the bundle, the certificate verification probably failed due to a
                               problem with the certificate (it might be expired, or the name might
                               not match the domain name in the URL).
                              If you'd like to turn off curl's verification of the certificate, use
                               the -k (or --insecure) option.



                              On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                              What does 'curl https://lotw.arrl.org/' say ?

                                  ~iain / N6ML


                              On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                              >
                              >
                              >
                              > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem.  After that it's Verizon to Internet to ARRL.
                              >
                              >
                              > Note that same file and same certificate with task 1.14 goes fine.
                              >
                              > ,k2lyv
                              >
                              >


                              ------------------------------------

                              Yahoo! Groups Links

                              <*> To visit your group on the web, go to:
                                  http://groups.yahoo.com/group/ARRL-LOTW/

                              <*> Your email settings:
                                  Individual Email | Traditional

                              <*> To change settings online go to:
                                  http://groups.yahoo.com/group/ARRL-LOTW/join
                                  (Yahoo! ID required)

                              <*> To change settings via email:
                                  ARRL-LOTW-digest@yahoogroups.com
                                  ARRL-LOTW-fullfeatured@yahoogroups.com

                              <*> To unsubscribe from this group, send an email to:
                                  ARRL-LOTW-unsubscribe@yahoogroups.com

                              <*> Your use of Yahoo! Groups is subject to:
                                  http://info.yahoo.com/legal/us/yahoo/utos/terms/





                              --
                              Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                            • iain macdonnell - N6ML
                              Hi Rick, I don t mean to be argumentative, but the defect you referenced earlier doesn t look anything like the problem that David is experiencing. That
                              Message 15 of 28 , Oct 10, 2013
                                Hi Rick,

                                I don't mean to be argumentative, but the defect you referenced
                                earlier doesn't look anything like the problem that David is
                                experiencing. That purported (not acknowledged) defect has to do with
                                hostname verification not failing when it should. I think you were on
                                the right track earlier, when you suspected that something is
                                intercepting David's HTTPS connection - maybe malware, or some sort of
                                attempt at a transparent proxy....

                                73,

                                ~iain / N6ML



                                On Thu, Oct 10, 2013 at 12:48 PM, Rick Murphy <k1mu@...> wrote:
                                >
                                >
                                >
                                > When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled.
                                > Apparently, the defect I mentioned earlier breaks libcURL, as well as the curl command.
                                > Try
                                > curl https://www.google.com/
                                >
                                > It will (incorrectly) say the same thing. In other words, this isn't anything wrong with TQSL or LoTW.
                                > 73,
                                > -Rick
                                >
                                >
                                > On Thu, Oct 10, 2013 at 3:17 PM, David Birnbaum <dbirnbau@...> wrote:
                                >>
                                >>
                                >>
                                >> curl -v https://lotw.arrl.org/
                                >> * About to connect() to lotw.arrl.org port 443 (#0)
                                >> * Trying 12.178.70.18...
                                >> * Adding handle: conn: 0x8b19c50
                                >> * Adding handle: send: 0
                                >> * Adding handle: recv: 0
                                >> * Curl_addHandleToPipeline: length: 1
                                >> * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                                >> * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                >> * SSLv3, TLS handshake, Client hello (1):
                                >> * SSLv3, TLS handshake, Server hello (2):
                                >> * SSLv3, TLS handshake, CERT (11):
                                >> * SSLv3, TLS alert, Server hello (2):
                                >> * SSL certificate problem: self signed certificate in certificate chain
                                >> * Closing connection 0
                                >> curl: (60) SSL certificate problem: self signed certificate in certificate chain
                                >> More details here: http://curl.haxx.se/docs/sslcerts.html
                                >>
                                >> curl performs SSL certificate verification by default, using a "bundle"
                                >> of Certificate Authority (CA) public keys (CA certs). If the default
                                >> bundle file isn't adequate, you can specify an alternate file
                                >> using the --cacert option.
                                >> If this HTTPS server uses a certificate signed by a CA represented in
                                >> the bundle, the certificate verification probably failed due to a
                                >> problem with the certificate (it might be expired, or the name might
                                >> not match the domain name in the URL).
                                >> If you'd like to turn off curl's verification of the certificate, use
                                >> the -k (or --insecure) option.
                                >>
                                >>
                                >>
                                >> On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                                >>>
                                >>> What does 'curl https://lotw.arrl.org/' say ?
                                >>>
                                >>> ~iain / N6ML
                                >>>
                                >>>
                                >>> On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                                >>> >
                                >>> >
                                >>> >
                                >>> > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                                >>> >
                                >>> >
                                >>> > Note that same file and same certificate with task 1.14 goes fine.
                                >>> >
                                >>> > ,k2lyv
                                >>> >
                                >>> >
                                >>>
                                >>>
                                >>> ------------------------------------
                                >>>
                                >>> Yahoo! Groups Links
                                >>>
                                >>>
                                >>>
                                >>
                                >
                                >
                                >
                                > --
                                > Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                >
                                >
                              • Rick Murphy
                                Iain, That s possible, however that is an acknowledged defect in curl - the developer rejected the proposed patch and created their own. I m not convinced that
                                Message 16 of 28 , Oct 10, 2013
                                  Iain,
                                  That's possible, however that is an acknowledged defect in curl - the
                                  developer rejected the proposed patch and created their own.
                                  I'm not convinced that it's unrelated. The only unique thing is the
                                  upgrade to libcURL to 7.32.0 - 7.31.0 is known to work properly.

                                  If openssl isn't able to open the site with a similar failure, or if
                                  using firefox to open it fails with certificate validation errors,
                                  then I think you're right.
                                  However, it's a Linux system, so I think malware is somewhat unlikely.

                                  Let David try a few more experiments so we can pin this down. If I get
                                  a chance, I'll try 7.32.0 and see if I can reproduce it.
                                  73,
                                  -Rick

                                  On Thu, Oct 10, 2013 at 4:20 PM, iain macdonnell - N6ML <ar@...> wrote:
                                  > Hi Rick,
                                  >
                                  > I don't mean to be argumentative, but the defect you referenced
                                  > earlier doesn't look anything like the problem that David is
                                  > experiencing. That purported (not acknowledged) defect has to do with
                                  > hostname verification not failing when it should. I think you were on
                                  > the right track earlier, when you suspected that something is
                                  > intercepting David's HTTPS connection - maybe malware, or some sort of
                                  > attempt at a transparent proxy....
                                  >
                                  > 73,
                                  >
                                  > ~iain / N6ML
                                  >
                                  >
                                  >
                                  > On Thu, Oct 10, 2013 at 12:48 PM, Rick Murphy <k1mu@...> wrote:
                                  >>
                                  >>
                                  >>
                                  >> When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled.
                                  >> Apparently, the defect I mentioned earlier breaks libcURL, as well as the curl command.
                                  >> Try
                                  >> curl https://www.google.com/
                                  >>
                                  >> It will (incorrectly) say the same thing. In other words, this isn't anything wrong with TQSL or LoTW.
                                  >> 73,
                                  >> -Rick
                                  >>
                                  >>
                                  >> On Thu, Oct 10, 2013 at 3:17 PM, David Birnbaum <dbirnbau@...> wrote:
                                  >>>
                                  >>>
                                  >>>
                                  >>> curl -v https://lotw.arrl.org/
                                  >>> * About to connect() to lotw.arrl.org port 443 (#0)
                                  >>> * Trying 12.178.70.18...
                                  >>> * Adding handle: conn: 0x8b19c50
                                  >>> * Adding handle: send: 0
                                  >>> * Adding handle: recv: 0
                                  >>> * Curl_addHandleToPipeline: length: 1
                                  >>> * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                                  >>> * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                  >>> * SSLv3, TLS handshake, Client hello (1):
                                  >>> * SSLv3, TLS handshake, Server hello (2):
                                  >>> * SSLv3, TLS handshake, CERT (11):
                                  >>> * SSLv3, TLS alert, Server hello (2):
                                  >>> * SSL certificate problem: self signed certificate in certificate chain
                                  >>> * Closing connection 0
                                  >>> curl: (60) SSL certificate problem: self signed certificate in certificate chain
                                  >>> More details here: http://curl.haxx.se/docs/sslcerts.html
                                  >>>
                                  >>> curl performs SSL certificate verification by default, using a "bundle"
                                  >>> of Certificate Authority (CA) public keys (CA certs). If the default
                                  >>> bundle file isn't adequate, you can specify an alternate file
                                  >>> using the --cacert option.
                                  >>> If this HTTPS server uses a certificate signed by a CA represented in
                                  >>> the bundle, the certificate verification probably failed due to a
                                  >>> problem with the certificate (it might be expired, or the name might
                                  >>> not match the domain name in the URL).
                                  >>> If you'd like to turn off curl's verification of the certificate, use
                                  >>> the -k (or --insecure) option.
                                  >>>
                                  >>>
                                  >>>
                                  >>> On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                                  >>>>
                                  >>>> What does 'curl https://lotw.arrl.org/' say ?
                                  >>>>
                                  >>>> ~iain / N6ML
                                  >>>>
                                  >>>>
                                  >>>> On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                                  >>>> >
                                  >>>> >
                                  >>>> >
                                  >>>> > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                                  >>>> >
                                  >>>> >
                                  >>>> > Note that same file and same certificate with task 1.14 goes fine.
                                  >>>> >
                                  >>>> > ,k2lyv
                                  >>>> >
                                  >>>> >
                                  >>>>
                                  >>>>
                                  >>>> ------------------------------------
                                  >>>>
                                  >>>> Yahoo! Groups Links
                                  >>>>
                                  >>>>
                                  >>>>
                                  >>>
                                  >>
                                  >>
                                  >>
                                  >> --
                                  >> Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                  >>
                                  >>
                                  >
                                  >
                                  > ------------------------------------
                                  >
                                  > Yahoo! Groups Links
                                  >
                                  >
                                  >



                                  --
                                  Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                • iain macdonnell - N6ML
                                  FWIW, it seems to work fine for me on FC18... [n6ml@localhost ~]$ ldd /usr/local/bin/tqsl | grep curl libcurl.so.4 = /lib64/libcurl.so.4 (0x00007f565ccc8000)
                                  Message 17 of 28 , Oct 10, 2013

                                    FWIW, it seems to work fine for me on FC18...

                                    [n6ml@localhost ~]$ ldd /usr/local/bin/tqsl | grep curl
                                            libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f565ccc8000)
                                    [n6ml@localhost ~]$ rpm -qf /lib64/libcurl.so.4
                                    libcurl-7.32.0-2.0.cf.fc18.x86_64
                                    [n6ml@localhost ~]$



                                    * About to connect() to lotw.arrl.org port 443 (#0)
                                    *   Trying 12.178.70.18...
                                    UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                    UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                    * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                    * Initializing NSS with certpath: sql:/etc/pki/nssdb
                                    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
                                      CApath: none
                                    * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
                                    * Server certificate:
                                    *       subject: CN=*.arrl.org,OU=Domain Control Validated,O=*.arrl.org
                                    *       start date: Jan 17 15:42:43 2013 GMT
                                    *       expire date: Jan 17 15:42:43 2014 GMT
                                    *       common name: *.arrl.org
                                    *       issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
                                    UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                    > POST /lotw/upload HTTP/1.1
                                    Accept: */*
                                    Content-Length: 1718
                                    ...etc...



                                    73,

                                        ~iain / N6ML










                                    On Thu, Oct 10, 2013 at 2:51 PM, Rick Murphy <k1mu@...> wrote:
                                     

                                    Iain,
                                    That's possible, however that is an acknowledged defect in curl - the
                                    developer rejected the proposed patch and created their own.
                                    I'm not convinced that it's unrelated. The only unique thing is the
                                    upgrade to libcURL to 7.32.0 - 7.31.0 is known to work properly.

                                    If openssl isn't able to open the site with a similar failure, or if
                                    using firefox to open it fails with certificate validation errors,
                                    then I think you're right.
                                    However, it's a Linux system, so I think malware is somewhat unlikely.

                                    Let David try a few more experiments so we can pin this down. If I get
                                    a chance, I'll try 7.32.0 and see if I can reproduce it.
                                    73,
                                    -Rick



                                    On Thu, Oct 10, 2013 at 4:20 PM, iain macdonnell - N6ML <ar@...> wrote:
                                    > Hi Rick,
                                    >
                                    > I don't mean to be argumentative, but the defect you referenced
                                    > earlier doesn't look anything like the problem that David is
                                    > experiencing. That purported (not acknowledged) defect has to do with
                                    > hostname verification not failing when it should. I think you were on
                                    > the right track earlier, when you suspected that something is
                                    > intercepting David's HTTPS connection - maybe malware, or some sort of
                                    > attempt at a transparent proxy....
                                    >
                                    > 73,
                                    >
                                    > ~iain / N6ML
                                    >
                                    >
                                    >
                                    > On Thu, Oct 10, 2013 at 12:48 PM, Rick Murphy <k1mu@...> wrote:
                                    >>
                                    >>
                                    >>
                                    >> When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled.
                                    >> Apparently, the defect I mentioned earlier breaks libcURL, as well as the curl command.
                                    >> Try
                                    >> curl https://www.google.com/
                                    >>
                                    >> It will (incorrectly) say the same thing. In other words, this isn't anything wrong with TQSL or LoTW.
                                    >> 73,
                                    >> -Rick
                                    >>
                                    >>
                                    >> On Thu, Oct 10, 2013 at 3:17 PM, David Birnbaum <dbirnbau@...> wrote:
                                    >>>
                                    >>>
                                    >>>
                                    >>> curl -v https://lotw.arrl.org/
                                    >>> * About to connect() to lotw.arrl.org port 443 (#0)
                                    >>> * Trying 12.178.70.18...
                                    >>> * Adding handle: conn: 0x8b19c50
                                    >>> * Adding handle: send: 0
                                    >>> * Adding handle: recv: 0
                                    >>> * Curl_addHandleToPipeline: length: 1
                                    >>> * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                                    >>> * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                    >>> * SSLv3, TLS handshake, Client hello (1):
                                    >>> * SSLv3, TLS handshake, Server hello (2):
                                    >>> * SSLv3, TLS handshake, CERT (11):
                                    >>> * SSLv3, TLS alert, Server hello (2):
                                    >>> * SSL certificate problem: self signed certificate in certificate chain
                                    >>> * Closing connection 0
                                    >>> curl: (60) SSL certificate problem: self signed certificate in certificate chain
                                    >>> More details here: http://curl.haxx.se/docs/sslcerts.html
                                    >>>
                                    >>> curl performs SSL certificate verification by default, using a "bundle"
                                    >>> of Certificate Authority (CA) public keys (CA certs). If the default
                                    >>> bundle file isn't adequate, you can specify an alternate file
                                    >>> using the --cacert option.
                                    >>> If this HTTPS server uses a certificate signed by a CA represented in
                                    >>> the bundle, the certificate verification probably failed due to a
                                    >>> problem with the certificate (it might be expired, or the name might
                                    >>> not match the domain name in the URL).
                                    >>> If you'd like to turn off curl's verification of the certificate, use
                                    >>> the -k (or --insecure) option.
                                    >>>
                                    >>>
                                    >>>
                                    >>> On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                                    >>>>
                                    >>>> What does 'curl https://lotw.arrl.org/' say ?
                                    >>>>
                                    >>>> ~iain / N6ML
                                    >>>>
                                    >>>>
                                    >>>> On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                                    >>>> >
                                    >>>> >
                                    >>>> >
                                    >>>> > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                                    >>>> >
                                    >>>> >
                                    >>>> > Note that same file and same certificate with task 1.14 goes fine.
                                    >>>> >
                                    >>>> > ,k2lyv
                                    >>>> >
                                    >>>> >
                                    >>>>
                                    >>>>
                                    >>>> ------------------------------------
                                    >>>>
                                    >>>> Yahoo! Groups Links
                                    >>>>
                                    >>>>
                                    >>>>
                                    >>>
                                    >>
                                    >>
                                    >>
                                    >> --
                                    >> Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                    >>
                                    >>
                                    >
                                    >
                                    > ------------------------------------
                                    >
                                    > Yahoo! Groups Links

                                    >
                                    >
                                    >

                                    --
                                    Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA


                                  • Rick Murphy
                                    FC18 32 bit still has an older version of libcURL: $ ldd tqsl | grep curl libcurl.so.4 = /lib/libcurl.so.4 (0xb7653000) $ rpm -qf /lib/libcurl.so.4
                                    Message 18 of 28 , Oct 10, 2013
                                      FC18 32 bit still has an older version of libcURL:

                                      $ ldd tqsl | grep curl
                                              libcurl.so.4 => /lib/libcurl.so.4 (0xb7653000)
                                      $ rpm -qf /lib/libcurl.so.4
                                      libcurl-7.27.0-12.fc18.i686

                                      I do most of my development on FC18 32 bit, so I *know* that's working fine.

                                      I just built curl 7.32.0 from source and tried it with lotw.arrl.org and it worked fine.

                                      It seems like my original reaction - that something is doing a man-in-the-middle attack - may be correct.
                                      Or, perhaps there's some bug in the Debian build of 7.32.0?
                                      73,
                                          -Rick


                                      On Thu, Oct 10, 2013 at 6:35 PM, iain macdonnell - N6ML <ar@...> wrote:
                                       


                                      FWIW, it seems to work fine for me on FC18...

                                      [n6ml@localhost ~]$ ldd /usr/local/bin/tqsl | grep curl
                                              libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f565ccc8000)
                                      [n6ml@localhost ~]$ rpm -qf /lib64/libcurl.so.4
                                      libcurl-7.32.0-2.0.cf.fc18.x86_64
                                      [n6ml@localhost ~]$



                                      * About to connect() to lotw.arrl.org port 443 (#0)
                                      *   Trying 12.178.70.18...
                                      UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                      UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                      * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                      * Initializing NSS with certpath: sql:/etc/pki/nssdb
                                      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
                                        CApath: none
                                      * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
                                      * Server certificate:
                                      *       subject: CN=*.arrl.org,OU=Domain Control Validated,O=*.arrl.org
                                      *       start date: Jan 17 15:42:43 2013 GMT
                                      *       expire date: Jan 17 15:42:43 2014 GMT
                                      *       common name: *.arrl.org
                                      *       issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
                                      UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000, ultotal=0.000000, ulnow=0.000000
                                      > POST /lotw/upload HTTP/1.1
                                      Accept: */*
                                      Content-Length: 1718
                                      ...etc...



                                      73,

                                          ~iain / N6ML










                                      On Thu, Oct 10, 2013 at 2:51 PM, Rick Murphy <k1mu@...> wrote:
                                       

                                      Iain,
                                      That's possible, however that is an acknowledged defect in curl - the
                                      developer rejected the proposed patch and created their own.
                                      I'm not convinced that it's unrelated. The only unique thing is the
                                      upgrade to libcURL to 7.32.0 - 7.31.0 is known to work properly.

                                      If openssl isn't able to open the site with a similar failure, or if
                                      using firefox to open it fails with certificate validation errors,
                                      then I think you're right.
                                      However, it's a Linux system, so I think malware is somewhat unlikely.

                                      Let David try a few more experiments so we can pin this down. If I get
                                      a chance, I'll try 7.32.0 and see if I can reproduce it.
                                      73,
                                      -Rick



                                      On Thu, Oct 10, 2013 at 4:20 PM, iain macdonnell - N6ML <ar@...> wrote:
                                      > Hi Rick,
                                      >
                                      > I don't mean to be argumentative, but the defect you referenced
                                      > earlier doesn't look anything like the problem that David is
                                      > experiencing. That purported (not acknowledged) defect has to do with
                                      > hostname verification not failing when it should. I think you were on
                                      > the right track earlier, when you suspected that something is
                                      > intercepting David's HTTPS connection - maybe malware, or some sort of
                                      > attempt at a transparent proxy....
                                      >
                                      > 73,
                                      >
                                      > ~iain / N6ML
                                      >
                                      >
                                      >
                                      > On Thu, Oct 10, 2013 at 12:48 PM, Rick Murphy <k1mu@...> wrote:
                                      >>
                                      >>
                                      >>
                                      >> When TQSL uses libcURL to read from the LoTW site, we do it with verification enabled.
                                      >> Apparently, the defect I mentioned earlier breaks libcURL, as well as the curl command.
                                      >> Try
                                      >> curl https://www.google.com/
                                      >>
                                      >> It will (incorrectly) say the same thing. In other words, this isn't anything wrong with TQSL or LoTW.
                                      >> 73,
                                      >> -Rick
                                      >>
                                      >>
                                      >> On Thu, Oct 10, 2013 at 3:17 PM, David Birnbaum <dbirnbau@...> wrote:
                                      >>>
                                      >>>
                                      >>>
                                      >>> curl -v https://lotw.arrl.org/
                                      >>> * About to connect() to lotw.arrl.org port 443 (#0)
                                      >>> * Trying 12.178.70.18...
                                      >>> * Adding handle: conn: 0x8b19c50
                                      >>> * Adding handle: send: 0
                                      >>> * Adding handle: recv: 0
                                      >>> * Curl_addHandleToPipeline: length: 1
                                      >>> * - Conn 0 (0x8b19c50) send_pipe: 1, recv_pipe: 0
                                      >>> * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                      >>> * SSLv3, TLS handshake, Client hello (1):
                                      >>> * SSLv3, TLS handshake, Server hello (2):
                                      >>> * SSLv3, TLS handshake, CERT (11):
                                      >>> * SSLv3, TLS alert, Server hello (2):
                                      >>> * SSL certificate problem: self signed certificate in certificate chain
                                      >>> * Closing connection 0
                                      >>> curl: (60) SSL certificate problem: self signed certificate in certificate chain
                                      >>> More details here: http://curl.haxx.se/docs/sslcerts.html
                                      >>>
                                      >>> curl performs SSL certificate verification by default, using a "bundle"
                                      >>> of Certificate Authority (CA) public keys (CA certs). If the default
                                      >>> bundle file isn't adequate, you can specify an alternate file
                                      >>> using the --cacert option.
                                      >>> If this HTTPS server uses a certificate signed by a CA represented in
                                      >>> the bundle, the certificate verification probably failed due to a
                                      >>> problem with the certificate (it might be expired, or the name might
                                      >>> not match the domain name in the URL).
                                      >>> If you'd like to turn off curl's verification of the certificate, use
                                      >>> the -k (or --insecure) option.
                                      >>>
                                      >>>
                                      >>>
                                      >>> On Thu, Oct 10, 2013 at 2:18 PM, iain macdonnell - N6ML <ar@...> wrote:
                                      >>>>
                                      >>>> What does 'curl https://lotw.arrl.org/' say ?
                                      >>>>
                                      >>>> ~iain / N6ML
                                      >>>>
                                      >>>>
                                      >>>> On Thu, Oct 10, 2013 at 11:16 AM, David Birnbaum <dbirnbau@...> wrote:
                                      >>>> >
                                      >>>> >
                                      >>>> >
                                      >>>> > Laptop is hard wired to 10/100 switch which is hard wired to 10/100/1k switch on FIOS modem. After that it's Verizon to Internet to ARRL.
                                      >>>> >
                                      >>>> >
                                      >>>> > Note that same file and same certificate with task 1.14 goes fine.
                                      >>>> >
                                      >>>> > ,k2lyv
                                      >>>> >
                                      >>>> >
                                      >>>>
                                      >>>>
                                      >>>> ------------------------------------
                                      >>>>
                                      >>>> Yahoo! Groups Links
                                      >>>>
                                      >>>>
                                      >>>>
                                      >>>
                                      >>
                                      >>
                                      >>
                                      >> --
                                      >> Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                      >>
                                      >>
                                      >
                                      >
                                      > ------------------------------------
                                      >
                                      > Yahoo! Groups Links

                                      >
                                      >
                                      >

                                      --
                                      Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA





                                      --
                                      Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                    • Rick Murphy
                                      ... Great ideas come to us when we sleep on it. :-) I think Iain pointed out the possible cause, but I missed it. A root certificate is a self-signed
                                      Message 19 of 28 , Oct 11, 2013
                                        On Thu, Oct 10, 2013 at 12:58 PM, David Birnbaum <dbirnbau@...> wrote:

                                        Perhaps problem is with my installation of CURL?

                                        Great ideas come to us when we sleep on it. :-)

                                        I think Iain pointed out the possible cause, but I missed it.
                                        A root certificate is a self-signed certificate. In other words, Go Daddy says that "this is my certificate", so we install that into a repository and the tools trust those. The error you're getting indicates that your system is not configured with a set of trusted roots that contains the Go Daddy root.

                                        So, you're either missing the install of whatever package provides the root certificate bundle, or libcURL isn't configured to use whatever root certificate bundle exists on your system.

                                        On Fedora 18, the trusted certificates are stored in /etc/pki/tls/certs/ca-bundle.crt
                                        $ rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
                                        ca-certificates-2012.87-1.fc18.noarch

                                        Perhaps there's a similar package for Ubuntu.
                                        73,
                                            -Rick
                                        -- 
                                        Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                      • Paul M Dunphy
                                        ... Same deal on FC19, Rick: [pdunphy@maui ~]$ rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt ca-certificates-2013.1.94-1.fc19.noarch [pdunphy@maui ~]$
                                        Message 20 of 28 , Oct 11, 2013
                                          On 10/11/2013 7:14 AM, Rick Murphy wrote:
                                          >
                                          >
                                          > On Thu, Oct 10, 2013 at 12:58 PM, David Birnbaum <dbirnbau@...
                                          > <mailto:dbirnbau@...>> wrote:
                                          >
                                          > __
                                          >
                                          > Perhaps problem is with my installation of CURL?
                                          >
                                          >
                                          > Great ideas come to us when we sleep on it. :-)
                                          >
                                          > I think Iain pointed out the possible cause, but I missed it.
                                          > A root certificate is a self-signed certificate. In other words, Go
                                          > Daddy says that "this is my certificate", so we install that into a
                                          > repository and the tools trust those. The error you're getting indicates
                                          > that your system is not configured with a set of trusted roots that
                                          > contains the Go Daddy root.
                                          >
                                          > So, you're either missing the install of whatever package provides the
                                          > root certificate bundle, or libcURL isn't configured to use whatever
                                          > root certificate bundle exists on your system.
                                          >
                                          > On Fedora 18, the trusted certificates are stored in
                                          > /etc/pki/tls/certs/ca-bundle.crt
                                          > $ rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
                                          > ca-certificates-2012.87-1.fc18.noarch
                                          >
                                          > Perhaps there's a similar package for Ubuntu.
                                          > 73,
                                          > -Rick
                                          > --
                                          > Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA
                                          >
                                          >

                                          Same deal on FC19, Rick:

                                          [pdunphy@maui ~]$ rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
                                          ca-certificates-2013.1.94-1.fc19.noarch
                                          [pdunphy@maui ~]$

                                          curl seems to behave OK:

                                          [pdunphy@maui ~]$ curl -v https://lotw.arrl.org/
                                          * About to connect() to lotw.arrl.org port 443 (#0)
                                          * Trying 12.178.70.18...
                                          * Connected to lotw.arrl.org (12.178.70.18) port 443 (#0)
                                          * Initializing NSS with certpath: sql:/etc/pki/nssdb
                                          * CAfile: /etc/pki/tls/certs/ca-bundle.crt
                                          CApath: none
                                          * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
                                          * Server certificate:
                                          * subject: CN=*.arrl.org,OU=Domain Control Validated,O=*.arrl.org
                                          * start date: Jan 17 15:42:43 2013 GMT
                                          * expire date: Jan 17 15:42:43 2014 GMT
                                          * common name: *.arrl.org
                                          * issuer: serialNumber=07969287,CN=Go Daddy Secure Certification
                                          Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
                                          Inc.",L=Scottsdale,ST=Arizona,C=US
                                          > GET / HTTP/1.1
                                          > User-Agent: curl/7.29.0
                                          > Host: lotw.arrl.org
                                          > Accept: */*
                                          >
                                          < HTTP/1.1 301 Moved Permanently
                                          < Date: Fri, 11 Oct 2013 13:06:43 GMT
                                          < Server: Apache/2.2.15 (CentOS)
                                          < Location: https://lotw.arrl.org/cgi-bin/lotw_page_auth/default
                                          < Transfer-Encoding: chunked
                                          < Content-Type: text/html; charset=UTF-8
                                          <
                                          <HTML><HEAD><TITLE>Redirect</TITLE></HEAD><BODY>
                                          Redirect to <A
                                          HREF="https://lotw.arrl.org/cgi-bin/lotw_page_auth/default">https://lotw.arrl.org/cgi-bin/lotw_page_auth/default</A></BODY></HTML>
                                          * Connection #0 to host lotw.arrl.org left intact
                                          [pdunphy@maui ~]$

                                          73, Paul VE1DX (a/k/a pdunphy@maui)
                                        • iain macdonnell - N6ML
                                          ... That was the first idea that popped into my head, but I tried sabotaging my own CA cert bundle, and found that both the curl command and tQSL produce a
                                          Message 21 of 28 , Oct 11, 2013
                                            On Fri, Oct 11, 2013 at 3:14 AM, Rick Murphy <k1mu@...> wrote:
                                            >
                                            >
                                            >
                                            > On Thu, Oct 10, 2013 at 12:58 PM, David Birnbaum <dbirnbau@...> wrote:
                                            >>
                                            >>
                                            >> Perhaps problem is with my installation of CURL?
                                            >
                                            >
                                            > Great ideas come to us when we sleep on it. :-)
                                            >
                                            > I think Iain pointed out the possible cause, but I missed it.
                                            > A root certificate is a self-signed certificate. In other words, Go Daddy says that "this is my certificate", so we install that into a repository and the tools trust those. The error you're getting indicates that your system is not configured with a set of trusted roots that contains the Go Daddy root.

                                            That was the first idea that popped into my head, but I tried
                                            sabotaging my own CA cert bundle, and found that both the curl command
                                            and tQSL produce a different error in that case...

                                            * About to connect() to lotw.arrl.org port 443 (#1)
                                            * Trying 12.178.70.18...
                                            UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000,
                                            ultotal=0.000000, ulnow=0.000000
                                            UploadDialog::doUpdaeProgresss: dltotal=0.000000, dlnow=0.000000,
                                            ultotal=0.000000, ulnow=0.000000
                                            * Connected to lotw.arrl.org (12.178.70.18) port 443 (#1)
                                            * CAfile: /etc/pki/tls/certs/ca-bundle.crt
                                            CApath: none
                                            * Server certificate:
                                            * subject: CN=*.arrl.org,OU=Domain Control Validated,O=*.arrl.org
                                            * start date: Jan 17 15:42:43 2013 GMT
                                            * expire date: Jan 17 15:42:43 2014 GMT
                                            * common name: *.arrl.org
                                            * issuer: serialNumber=07969287,CN=Go Daddy Secure Certification
                                            Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
                                            Inc.",L=Scottsdale,ST=Arizona,C=US
                                            * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
                                            * Peer's certificate issuer has been marked as not trusted by the user.
                                            * Closing connection 1
                                            UploadDialog::OnDone:
                                            cURL Error: Peer certificate cannot be authenticated with given CA
                                            certificates (Peer's certificate issuer has been marked as not trusted
                                            by the user.)
                                            /home/n6ml/ptest.adi: Couldn't upload the file: CURL returned "Peer
                                            certificate cannot be authenticated with given CA certificates"
                                            (Peer's certificate issuer has been marked as not trusted by the
                                            user.)
                                            free_certlist:


                                            It's interesting that David's diagnostic log didn't show any
                                            information about the self-signed cert that was rejected ....

                                            73,

                                            ~iain / N6ML
                                          • Peter Laws
                                            ... My guess would be that one of these is missing ... plaws@toto:plaws $ dpkg -l |grep -i cert ii ca-certificates 20111211 Common CA
                                            Message 22 of 28 , Oct 11, 2013
                                              On Fri, Oct 11, 2013 at 5:14 AM, Rick Murphy <k1mu@...> wrote:
                                              >
                                              >
                                              > On Fedora 18, the trusted certificates are stored in /etc/pki/tls/certs/ca-bundle.crt
                                              > $ rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
                                              > ca-certificates-2012.87-1.fc18.noarch
                                              >
                                              > Perhaps there's a similar package for Ubuntu.
                                              >

                                              My guess would be that one of these is missing ...

                                              plaws@toto:plaws $ dpkg -l |grep -i cert
                                              ii ca-certificates 20111211
                                              Common CA certificates
                                              ii ca-certificates-java 20110912ubuntu6
                                              Common CA certificates (JKS keystore)
                                              ii ssl-cert 1.0.28ubuntu0.1
                                              simple debconf wrapper for OpenSSL

                                              plaws@toto:plaws $ /usr/bin/lsb_release -a
                                              No LSB modules are available.
                                              Distributor ID: Ubuntu
                                              Description: Ubuntu 12.04.3 LTS
                                              Release: 12.04
                                              Codename: precise


                                              --
                                              Peter Laws | N5UWY | plaws plaws net | Travel by Train!
                                            • David Birnbaum
                                              Okay I m confused now. There seem to be at least two separate e-mail strands wound together here and at least two Daves as well. Should I try and de-install
                                              Message 23 of 28 , Oct 11, 2013
                                                Okay I'm confused now.  There seem to be at least two separate e-mail strands wound together here and at least two Daves as well.

                                                Should I try and de-install curl 7.32 and install an earlier version?  Which one?  The website lets me go waaaay back. How about 7.16 for example?

                                                Please remember in all this that tqsl 1.12 is working just fine for me on the same computer with the same certificate and same log file.  

                                                k2lyv

                                                P.S. I've been a Linux user since v 0.93 on a 386 16MHz processor.  I'm not a newbie here.
                                              • Rick Murphy
                                                ... That s OK, we re all confused as well. :) ... Well, it would be nice to understand why this is happening first. I don t know if just backing up to an older
                                                Message 24 of 28 , Oct 11, 2013
                                                  On Fri, Oct 11, 2013 at 1:06 PM, David Birnbaum <dbirnbau@...> wrote:
                                                   

                                                  Okay I'm confused now.  There seem to be at least two separate e-mail strands wound together here and at least two Daves as well.

                                                  That's OK, we're all confused as well. :)
                                                   
                                                  Should I try and de-install curl 7.32 and install an earlier version?  Which one?  The website lets me go waaaay back. How about 7.16 for example?

                                                  Well, it would be nice to understand why this is happening first. I don't know if just backing up to an older version is appropriate or not.
                                                  Are you building curl from source, or are you using a copy from the Ubuntu repositories? Building from source means there's a bunch of potential configuration options for the SSL support. OpenSSL, NSS, etc. and how it works (and what errors you see) may depend on how curl is supporting the secure connection.
                                                   
                                                  Please remember in all this that tqsl 1.12 is working just fine for me on the same computer with the same certificate and same log file.  

                                                  Then you should use whatever version of libcURL that you linked 1.14 with since that's apparently working. I'm assuming you mean 1.14 above - 1.12 would of course work since it doesn't have any upload capabilities.

                                                  73,
                                                      -Rick

                                                Your message has been successfully submitted and would be delivered to recipients shortly.