On Tue, Feb 14, 2012, Timothy Kay wrote:

> We have been baffled for a long time that curl cannot access websites that
> work just fine in the browser (unless we use --insecure, of course). The
> curl documentation points you to http://curl.haxx.se/docs/sslcerts.html,
> which explains that your server has out of date certificates. It's not
> true! The problem is that the troublesome websites send the certificate
> chain that is out of order, and openssl fails to validate these chains,
> even though /etc/ssl/certs contains appropriate root certificates.
> 
> $ curl -v https://catalog.cincinnatilibrary.org
[analysis snipped]

I've checked through your example. There is another piece to the puzzle here
though. The issuer and subject names are not the only parts of the certificate
used for chaining additional the subject key identifier (SKID) and authority
key identifier (AKID) extensions are used too.

If we take a look at the CA certificate immediately below the root then we see
this information (see -text option to x509):

X509v3 Authority Key Identifier: 
DirName:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
serial:70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF

This is indicating the issuer name and serial number of the CA certificate
that signed it. If we have a look at the certificate in the /etc/ssl/certs
with the appropriate hash (415660c1.0) we see:

Serial Number:
        3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be

Which doesn't match the value above.

Now it has been commented (with some justification) that OpenSSL is unduly
picky about matching SKID/AKID but MSIE is known to be equally strict so what
is going on here?

I looked through the root CA store of MSIE and found *two* certificates with
that same issuer name. One is identical to the one in /etc/ssl/certs but there
is a second which matches that serial number. Here it is:

-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----

If you use this certificate with curl and the --cacert option or you add it to
the bundle in /etc/ssl/certs (and rehash) it should now work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to