Re: Failing to verify the certificate of one specific site

Wed, 19 Oct 2011 19:45:28 -0700 

2011/10/9 Lucas Clemente Vella <lve...@gmail.com>:
> First of all, I am not a direct user of the OpenSSL library, but I am
> using it via Python 2.7 built-in module ssl, which in turn uses
> OpenSSL. Since my problem is SSL specific, I thought people here would
> be more apt to help me.

Now I wrote the C code using directly OpenSSL, and I get the same problem:

#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

int main()
{
  long ret;
  BIO * bio;
  SSL_CTX * ctx;
  SSL * ssl;
  X509 * cert;

  SSL_library_init();
  SSL_load_error_strings();
  ERR_load_BIO_strings();

  ctx = SSL_CTX_new(TLSv1_client_method());
  SSL_CTX_load_verify_locations(ctx, "DigiCertHighAssuranceEVRootCA.crt", NULL);

  bio = BIO_new_ssl_connect(ctx);
  BIO_get_ssl(bio, &ssl);
  SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

  BIO_set_conn_hostname(bio, "graph.facebook.com:443");
  BIO_do_connect(bio);

  cert = SSL_get_peer_certificate(ssl);
  ret = SSL_get_verify_result(ssl);

  printf("Cert: %s\nRet %ld\n", cert->name, ret);

  X509_free(cert);
  BIO_free_all(bio);
  SSL_CTX_free(ctx);
}

By running it, I get:
$ ssl_test
Cert: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
Ret 20

which Ret 20 means, according to 'man verify',
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

where I would expect:
0 X509_V_OK

Then I found this directory in my system, "/etc/ssl/certs", containing
my installed CA roots, which I provided to OpenSSL, instead of the
certificate file:
SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ssl/certs");

By running again, I get "Ret 0", meaning X509_V_OK and the host was verified.

It seems to me that there is one certificate installed in
/etc/ssl/certs, which is different from the on I was providing, that
is being used to verify the host. If it is so, how can I know what
certificate is being used? And why Firefox and Chrome both use the
former certificate I provided, while OpenSSL is unable to use it for
the same host?

-- 
Lucas Clemente Vella
lve...@gmail.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to