I'm running FreeBSD 10.3-RELEASE with # openssl version
OpenSSL 1.0.1s-freebsd 1 Mar 2016
This is the FreeBSD base version of openssl, not the ports version. I have
ssh access to the server and can sudo to root.
Please note: In the error messages below, I have removed some of the
pathing so as not to reveal the exact locations on the server.
I have two problems. When I use https with an rss reader module in Joomla,
I get this error: Warning: fopen(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed in
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335
Warning: fopen(): Failed to enable crypto in
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335
Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream:
operation failed in
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335
I've worked around this problem by not forcing https on the blog. That way
the module can read the rss feed without encryption. The blog works without
SSL and with SSL, and I force SSL for logins.
I had someone test the feed from a different server, and it worked fine
with SSL, so the problem appears to be isolated to this server.
The second problem occurs when I try to run some commandline python
scripts, I get this error: requests.exceptions.ConnectionError:
HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded
with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL
routines', 'ssl3_get_server_certificate', 'certificate verify
failed')],)",),))
<class 'requests.exceptions.ConnectionError'>
Both of them appear to be related to how openssl handles ssl sessions.
When I run openssl s_client -connect wiki.vvfh.org:443, I get the following
error: Verify return code: 18 (self signed certificate)
This is very odd, because ssllabs.com scores the site as an A, and says the
chain is intact, no missing parts. Yet, for some reason, ssl doesn't see it
that way. Furthermore, it sees the certs as self-signed, which makes no
sense at all. I'm using a wildcard cert (Comodo) for three sites: www, wiki
and blog - all in the vvfh.org domain.
Even more confusing, if I verify the cert from the commandline, openssl
says it's OK.
openssl verify -untrusted
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
STAR_vvfh_org.crt: OK
If I verify the cert without the chain, I get an error:
openssl verify STAR_vvfh_org.crt
STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL
Wildcard, CN = *.vvfh.org
error 20 at 0 depth lookup:unable to get local issuer certificate
This is my apache (2.4) config:
# Enable SSL
SSLEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCertificateFile /webcerts/STAR_vvfh_org.crt
SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key
SSLCACertificateFile
/webcerts/COMODORSADomainValidationSecureServerCA.crt
SSLCertificateChainFile
/webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
I've been working around the problem, but I'd like to figure it out and get
it fixed.
"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors." - Thomas Jefferson
Paul Schmehl (pschmehl@xxxxxxxxx)
Independent Researcher
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
