Re: Strange problem with openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--On November 10, 2017 at 4:33:41 PM +0000 Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:

From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf
Of Paul Schmehl
Sent: Thursday, November 09, 2017 20:09
To: openssl-users@xxxxxxxxxxx
Subject:  Strange problem with openssl

When I run openssl s_client -connect wiki.vvfh.org:443, I get the
following error:  Verify return code: 18 (self signed certificate)

This is very odd, because ssllabs.com scores the site as an A, and says
the chain is intact, no missing parts. Yet, for some reason, ssl doesn't
see it that way. Furthermore, it sees the certs as self-signed, which
makes no sense at all.

It sees *a* certificate as self-signed. And indeed there is one. You're
sending the entire chain, including the root. By definition, the root is
self-signed.

So s_client is saying: I'm verifying the chain from the server, and I got
to the point where I found a self-signed certificate (which is the same
as saying "I found a root certificate").

OpenSSL isn't contradicting ssllabs. s_client reports the whole chain is
there.


Thanks for clearing that up, Michael.

Even more confusing, if I verify the cert from the commandline, openssl
says it's OK.
openssl verify -untrusted
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
STAR_vvfh_org.crt: OK

s_client isn't saying the certificate isn't OK. It's saying it received a
root certificate from the server.

You didn't give s_client any trust anchors to verify the chain. So it's
going to walk the whole chain, and it's going to find the root, and it's
going to complain about that.

Programs don't normally send the root certificate, on the grounds that if
the peer doesn't already have it, they're not going to trust it anyway.
But it's not forbidden.

Try this:

1. Run "openssl s_client -connect wiki.vvfh.org:443 -showcerts". Copy the
last certificate in the output (which will be the root) and paste it into
tmp.pem. 2. Run " openssl s_client -connect wiki.vvfh.org:443 -verify 2
-CAfile tmp.pem". No complaint from s_client now.

You are correct. Thanks for clarifying this.

Do you have any thoughts on why I'm getting the errors when trying to connect to the rss2 feed or the commandline issue with python?

"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors."  -  Thomas Jefferson

Paul Schmehl (pschmehl@xxxxxxxxx)
Independent Researcher
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux