Consuming HTTPS protected web services with CURL

Invoking a HTTPS protected web service with CURL using the flag --insecure is a contradiction, --cacert is the right flag.

To show you how to do it right, I have chose a simple web search to Google via HTTPS as an example. Of course, this is not exactly a web service call, but I think for the sake of simplicity, it would be OK.

Let's search the term curl in HTTPS Google via curl both ways.

The non-secure wrong way

$ curl --include --silent --insecure --header "Referer: https://www.google.com/" --header "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" -X GET "https://www.google.com/search?q=curl" > google-insecure.txt

$ head -16 google-insecure.txt
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 04 May 2017 19:27:17 GMT
Expires: -1
Cache-Control: private, max-age=0
Strict-Transport-Security: max-age=86400
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=102=le8v4FV4N1XPuLv1imH91Kdroil6K8RSsW9e0z4Jkt_GtowHYiC9mkRsHMmtqcpWnPKPGUjPw-qtm8wTfTsE78GMH93q5BiYj9Ix0fbvLqtUpUj0V1bRUOnmNbdcmM_5; expires=Fri, 03-Nov-2017 19:27:17 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

The secure right way

1. Download Google certificates encoded as DER files from a browser like Firefox.

GeoTrustGlobalCA.der
GoogleInternetAuthorityG2.der
-googlecom.der

2. Convert each .der file into a .pem file

$ openssl x509 -inform DES -in GeoTrustGlobalCA.der -out GeoTrustGlobalCA.der.pem -text
$ openssl x509 -inform DES -in GoogleInternetAuthorityG2.der -out GoogleInternetAuthorityG2.der.pem -text
$ openssl x509 -inform DES -in -googlecom.der -out googlecom.der.pem -text

_{Be careful with the hyphen in -googlecom.der. It is better to remove it, unless you want to deal with character escaping in the next step}

3. Join them all .pem files into a single one with cat

$ cat *.pem > googleHTTPSCert

4. Search the term curl in HTTPS Google via curl

$ curl --include --silent --cacert googleHTTPSCert --header "Referer: https://www.google.com/" --header "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" -X GET "https://www.google.com/search?q=curl" > google-secure.txt

$ head -16 google-secure.txt
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 04 May 2017 19:36:48 GMT
Expires: -1
Cache-Control: private, max-age=0
Strict-Transport-Security: max-age=86400
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=102=ZM2iq0mihSNgeJGwKxMUAoLCo_Nd291TR-o5VOHEQr_KWlp9hOvivOvZ11IMs3_a9oEcDk1HgjcNXsL040gyBUdo28mgxDc5ccJ3hKc7BTXB131v4mNoIMV3_OjOzl0w; expires=Fri, 03-Nov-2017 19:36:48 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

Both ways are acceptable and worked fine. However, as I said before, the insecure way is ironic.