--On November 10, 2017 at 5:21:25 PM +0000 Michael Wojcik
<Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf
Of Paul Schmehl
Sent: Friday, November 10, 2017 11:59
To: openssl-users@xxxxxxxxxxx
Subject: Re: Strange problem with openssl
Do you have any thoughts on why I'm getting the errors when trying to
connect to the rss2 feed or the commandline issue with python?
All we have from the rss2 issue is a generic complaint about verifying
the server's certificate chain, so it's really hard to say. The module
you're using either doesn't provide good diagnostics, or it's putting
them somewhere other than stderr.
It's possible that the module is configuring OpenSSL to not allow
wildcard certificates. It's possible that it doesn't have the Comodo root
in its trust collection. I'm not offhand seeing any other problems with
the certs, though I certainly didn't try to check every possibility. The
openssl verify commands you ran will have tested a number of the possible
reasons for rejection, but not all of them. (There are options to test
other things, but that gets complicated, too; you don't know what checks
your failing applications are making.)
The Python issue looks like it's probably the same thing, whatever that
thing may be. It's also complaining about certificate verification.
If you can get either of those clients to provide more detailed
diagnostics, we might be able to narrow it down. Or someone else on the
list might have a better idea.
Certificate validation with the public Internet X.509 PKI hierarchy is a
nightmare, to be honest. (Ivan Ristic's /Bulletproof TLS/ book discusses
many of the problems; the Cypherpunks presentation "X.509 PKI: The OSI of
a New Generation" is another good source.) There are a zillion things
that can go wrong, and it's often very difficult to figure out why some
particular application is unhappy.
Thanks again for your detailed response, Michael. WRT the RSS issue, the
vendor was able to view the feed over https without any errors, using the
same software that I'm using (Joomla 3.8.2 and Simple RSS Feed Reader (by
JoomlaWorks) 3.5). So, that seems to point to a problem unique to my server.
The python problem I may be able to enable debug on and see if any
additional detail is helpful. I'll check in to that.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors." - Thomas Jefferson
Paul Schmehl (pschmehl@xxxxxxxxx)
Independent Researcher
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
