How to do a CURL request on a Peer to Peer SSL

First of all, I have to admit I am still a noob in these things but I hope someday, someone will find help from these obstacles I face in the world of software engineering.

I will not dwell much on the background of the story but it landed me on a "sticky" situation while trying to integrate to a client's API which required a TPP (checkout more about it here) in connection. This is a secure way especially for fintech where the transferred info is highly sensitive. The API used a 2 way ssl (you can also check that out here) so for you to connect to it you need to push the client's hello message with the whitelisted IP and SSL and the client validates connect and return a response.

I spent a long time getting the above mentioned response which I will also show below:

About to connect() to name_of_client_url & port (#0

*??Trying client IP...

* Connected to IP and port (#0)

* Initializing NSS with certpath: sql:/path/to/ssl/

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)

* SSL peer was unable to negotiate an acceptable set of security parameters.

* Closing connection 0

curl: (35) NSS: client certificate not found (nickname not specified))        

I had implemented the "-k and the --insecure" to override the ssl validation as I had seen on a lot of stack answers.

After a lot of tries, I then stumbled on a solution that I think it is worth hearing for engineers like me. In fintech, security is key when communicating with other API because of the nature of the transaction. As much as overriding the SSL requirement may come a quick fix, it is not recommended. So instead, if there is a manual whitelisting of your server API that has been done, the client will definitely send their client SSL depending with the ssl type they are using, in my case the client sent through the KEY, CERT & PEM files.

I then constructed the CURL request as follows, this example is for a GET_REQUEST so there are only headers not request bodies"

The following lines are parts of the curl request:

[root@whitelisted_server_name hchikara]# curl -v?
        

The curl -v, means it is --verbose and makes the operation more talkative,

-H --cert '/path/to/ssl_certificate.pem' --key '/path/to/ssl_certificate.key' --cert-type PEM        

The -H implies its a custom header.

The next part is self explanatory, please use single quotes to specify the actual subject content in the header. This example was used for a RESTful Service that returns data in json format:

-H 'Content-type: application/json'        

This example uses a bearer token for authentication, other apis use keys, username and password for authentication tokenization. You need to tell the command that you are the true holder of request, lol... direct translation, you can read more on it here:

-H?'the_actual_bearer_token_value'        

This is followed by the url / location where you are trying to send the CURL Request to:

'https://actual_url_endpoint_to_connect_to'        

and voila, this should come back with actual results. Please find below the whole request:

curl -v -H --cert '/path/to/ssl_certificate.pem' --key '/path/to/ssl_certificate.key' --cert-type PEM -H 'Content-type: application/json'  -H?'the_actual_bearer_token_value''https://actual_url_endpoint_to_connect_to'        

For more on what CURL can do, hit it up by typing "curl --help".

Hope it helps somebody facing the same challenge. Happy debugging.