You should be able to use the /usr/share/ui/support/Trusted_CAs.pem CA certificates file:
root@lab-srx340> show version
Hostname: lab-srx340
Model: srx340
Junos: 19.4R2.6
JUNOS Software Release [19.4R2.6]
root@lab-srx340> start shell sh
# curl --version
curl 7.59.0 (JUNOS) libcurl/7.59.0 OpenSSL/1.0.2u
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps
telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL UnixSockets HTTPS-proxy
#
# SSL_CERT_FILE=/usr/share/ui/support/Trusted_CAs.pem curl -s https://www.google.com/ | tail -1
(function(){google.jl={attn:false,blt:'none',chnk:0,dw:false,dwu:true,emtn:0,end:0,ine:false,lls:'default',pdt:0,rep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22dh\x22:true,\x22dhqt\x22:true,\x22ds\x22:\x22\x22,\x22ffql\x22:\x22en\x22,\x22fl\x22:true,\x22
host\x22:\x22google.com\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Rensa skning\x22,\x22dym\x22:\x22Menade du:\x22,\x22lcky\x22:\x22Jag har tur\x22,\x22lml\x22:\x22Ls mer\x22,\x22oskt\x22:\x22Inmatningsverktyg\x22,\x22psrc\x22:\x22Den hr skningen har tagits
bort frn din \Webbhistorik\\u003C/a\\u003E\x22,\x22p
srl\x22:\x22Ta bort\x22,\x22sbit\x22:\x22Sk med bild\x22,\x22srch\x22:\x22Sk p Google\x22},\x22ovr\x22:{},\x22pq\x22:\x22\x22,\x22refpd\x22:true,\x22rfs\x22:[],\x22sbas\x22:\x220 3px 8px 0 rgba(0,0,0,0.2),0 0 0 1px rgba(0,0,0,0.08)\x22,\x22sbpl\x22:16,\x22sbpr\x22:16,\x22scd\x22:10,\x22stok\x22:\x22nKkRLPNGud4N-e-ET_hVSwmV3J0\x22,\x22uhde\x22:false}}';google.pmc=JSON.parse(pmc);})();</script> </body></html>#
#
Original Message:
Sent: 04-12-2021 16:58
From: Unknown User
Subject: curl: (1) Protocol "https" not supported or disabled in libcurl
Thanks for ur reply i have checked again and seems like they have added support for https in curl in new version Junos: 19.4R2-S3.1 but the problem is still its complaining or giving error for certificate or CAfile while accessing via https and if i am checking the path for CAfile (CAfile: /var/db/certs/common/curl/curl-ca-bundle.crt) then its not showing /curl in the following path .
root@juniper19:~ # curl --version
curl 7.59.0 (JUNOS) libcurl/7.59.0 OpenSSL/1.0.2u
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL UnixSockets HTTPS-proxy
root@juniper19:~ # curl https://www.google.com/curl: (77) error setting certificate verify locations:
CAfile: /var/db/certs/common/curl/curl-ca-bundle.crtCApath: none
root@juniper19:~ # cd /var/db/certs/common ----> Missing curl
root@juniper19:/var/db/certs/common # ls
_ssl_init_profile_list certification-authority key-pair
_ssl_term_profile_list certification-authority-untrusted local
certificate-request crl ssl_cert_list
root@juniper19:/var/db/certs/common #
root@juniper19.4testcurl-vsrx-vSRX> show version
Hostname: juniper19.4testcurl-vsrx-vSRX
Model: vsrx
Junos: 19.4R2-S3.1
Please let me know if i need to upload the CA file in respective path or still there is some issue with curl support in Junos newer version.
Original Message:
Sent: 05-04-2020 04:46
From: Unknown User
Subject: curl: (1) Protocol "https" not supported or disabled in libcurl
Curl utility(the one started on so-called Unix shell) in Junos for SRX devices seems to be compiled without SSL/TLS support and is statically linked:
root@srx% ldd /usr/bin/curl/usr/bin/curl:libgcc.so.1 => /usr/lib/libgcc.so.1 (0x28559000)libc.so.6 => /usr/lib/libc.so.6 (0x285a8000)root@srx%
root@srx% curl -V
curl 7.43.0 (JUNOS) libcurl/7.43.0
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: IPv6 Largefile UnixSockets
root@srx%
Libcurl, mentioned in libslax curl extension library documentation, is used by cscript(program which runs the op/event/commit scripts written in SLAX):
root@srx% ldd /usr/libexec/ui/cscript | grep curl libcurl-nossl.so.1 => /usr/lib/libcurl-nossl.so.1 (0x28c65000) libext_curl.so.3 => /usr/lib/libext_curl.so.3 (0x28d80000)root@srx%
As seen above, there are two curl libraries. As the name suggests and analysis with hex editor confirms, the first one is compiled without SSL/TLS support and the second one is with SSL/TLS support. However, at least in Junos 18.2R3.4 on SRX device the cscript seems to load curl related functions from libcurl-nossl.so.1 library. For example, one can confirm this by using the first example on libslax curl extension library documentation page, adding the sleep() before the curl call and attaching to cscript process with gdb. All the curl related functions seem to be from libcurl-nossl.so.1 address space:
(gdb) info functions ^CurlAll functions matching regular expression "^Curl":Non-debugging symbols:0x28c6a9f0 Curl_read16_le0x28c6aa04 Curl_read32_le0x28c6aa30 Curl_read64_le0x28c6aae0 Curl_read16_be0x28c6aaf4 Curl_read32_be0x28c6ab20 Curl_read64_be0x28c6abd8 Curl_write16_le0x28c6abec Curl_write32_le0x28c6ac0c Curl_write64_le0x28c6f49c Curl_ftpsendf0x28c6f5d8 Curl_GetFTPResponse0x28c72740 Curl_ftp_parselist_data_alloc0x28c7277c Curl_ftp_parselist_data_free0x28c727c4 Curl_ftp_parselist_geterror0x28c729c4 Curl_ftp_parselist0x28c74f18 Curl_fnmatch0x28c78590 Curl_proxyCONNECT0x28c7942c Curl_proxy_connect0x28c795b4 Curl_recvpipe_head0x28c795ec Curl_sendpipe_head0x28c79624 Curl_pipeline_checkget_write0x28c79698 Curl_pipeline_checkget_read0x28c7970c Curl_pipeline_leave_write0x28c79714 Curl_pipeline_leave_read0x28c7971c Curl_pipeline_set_server_blacklist0x28c79820 Curl_pipeline_server_blacklisted0x28c79918 Curl_pipeline_set_site_blacklist0x28c79b38 Curl_pipeline_site_blacklisted0x28c79c14 Curl_move_handle_from_send_to_recv_pipe0x28c79cd8 Curl_add_handle_to_pipeline0x28c79d8c Curl_pipeline_penalized0x28c7b980 Curl_smtp_escape_eob0x28c7bd80 Curl_gethostname0x28c7be10 Curl_blockread_all0x28c7bf58 Curl_SOCKS50x28c7c9cc Curl_SOCKS40x28c7f080 Curl_pp_getsock0x28c7f0ac Curl_pp_disconnect/* output removed for brevity */0x28ca9d78 Curl_disconnect0x28ca9ea0 Curl_done0x28cac134 Curl_connect0x28cac264 Curl_setopt0x28cae654 Curl_close0x28cae8ac Curl_dupset0x28caeab0 Curl_wait_ms0x28caec10 Curl_poll0x28caee50 Curl_socket_check0x28caf150 Curl_set_dns_servers0x28caf158 Curl_set_dns_interface0x28caf160 Curl_set_dns_local_ip40x28caf168 Curl_set_dns_local_ip60x28caf170 Curl_raw_toupper0x28caf28c Curl_raw_equal0x28caf360 Curl_raw_nequal0x28caf46c Curl_strntoupper0x28caf648 Curl_tvlong(gdb) info sharedlibraryFrom To Syms Read Shared Object Library0x2852c550 0x28567880 Yes /usr/lib//libxslt.so.30x285cac40 0x286dbb50 Yes /usr/lib//libxml2.so.30x28749b90 0x28775ce0 Yes /usr/lib//libslax.so.30x287d2860 0x287fca10 Yes /usr/lib//libncurses.so.60x28850c30 0x28869750 Yes /usr/lib//libedit.so.70x288b2350 0x288bd860 Yes /usr/lib//libz.so.30x28904420 0x289178d0 Yes /usr/lib//libmd.so.30x2895c1e0 0x28985e40 Yes /usr/lib//libm.so.40x289dfdf0 0x28a96530 Yes /usr/lib//libddl-access.so.10x28af8750 0x28b00360 Yes /usr/lib//libjunoscript.so.10x28b48f70 0x28b511f0 Yes /usr/lib//libmemory.so.10x28b94d10 0x28b971b0 Yes /usr/lib//libjunos-string.so.10x28bdaa80 0x28bdc190 Yes /usr/lib//libjunos-patricia.so.10x28c1f330 0x28c21b40 Yes /usr/lib//libjunos-time.so.10x28c6a8b0 0x28caf770 Yes /usr/lib//libcurl-nossl.so.10x28cfa7a0 0x28cfadf0 Yes /usr/lib//libjunos-util.so.10x28d3cbb0 0x28d3e240 Yes /usr/lib//libext_bit.so.30x28d81150 0x28d86260 Yes /usr/lib//libext_curl.so.30x28dc8680 0x28dc88a0 Yes /usr/lib//libext_exslt.so.30x28e0b0f0 0x28e0c8b0 Yes /usr/lib//libext_os.so.30x28e4ed10 0x28e50430 Yes /usr/lib//libext_xutil.so.30x28e92880 0x28e93820 Yes /usr/lib//libpvidb.so.10x28ed73c0 0x28edf6e0 Yes /usr/lib//libutil.so.50x28f246d0 0x28f2f220 Yes /usr/lib//libgcc.so.10x28f90260 0x29067770 Yes /usr/lib//libc.so.60x29128d90 0x2912a860 Yes /usr/lib//nss_sdk.so.10x2916cff0 0x2916eab0 Yes /usr/lib//libprovider.so.10x284a84c0 0x284d6170 Yes /usr/libexec/ld-elf.so.1(gdb)
Also, variables like Curl_handler_https are missing. In short, HTTPS does not seem to be supported even in SLAX scripts on SRX devices.