Re: Failing to verify the certificate of one specific site
On 10/22/2011 4:52 AM, Lucas Clemente Vella wrote: 2011/10/21 Jakob Bohmjb-open...@wisemo.com: According to the Digicert CPS http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf, that DigiCert root is cross-certified by the Entrust root. Some trusted certificate bundles include only the Entrust root CA and will need the Entrust-signed cross intermediary certificate to validate, other trusted certificate bundles include the Digicert self-signed root for this key directly. It is expected from the standards and the behavior of other X.509 libraries that upon seeing the keyid of a known root, the library should stop following the chain and ignore any extra certificate provided by the entity being verified. So, the behavior I get with OpenSSL when using the Digicert root is non-conformant with X.509? The peer's certificate should have been verified when I provided the Digicert root? Just my unqualified opinion though. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Failing to verify the certificate of one specific site
According to the Digicert CPS http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf, that DigiCert root is cross-certified by the Entrust root. Some trusted certificate bundles include only the Entrust root CA and will need the Entrust-signed cross intermediary certificate to validate, other trusted certificate bundles include the Digicert self-signed root for this key directly. It is expected from the standards and the behavior of other X.509 libraries that upon seeing the keyid of a known root, the library should stop following the chain and ignore any extra certificate provided by the entity being verified. On 10/21/2011 3:10 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Lucas Clemente Vella Sent: Wednesday, 19 October, 2011 22:44 snip: connect to graph.facebook.com:443 using cafile=DigiCertHighAssuranceEVRootCA.crt gets rc=20 Then I found this directory in my system, /etc/ssl/certs, containing my installed CA roots, which I provided to OpenSSL, instead of the certificate file:and got rc=0 It seems to me that there is one certificate installed in /etc/ssl/certs, which is different from the on I was providing, that is being used to verify the host. If it is so, how can I know what certificate is being used? And why Firefox and Chrome both use the former certificate I provided, while OpenSSL is unable to use it for the same host? s_client shows that host is providing a chain which has at #2 Digicert High Assurance EV Root CA not actually a root but instead isssued by Entrust.net Secure Server Certification Authority. Such a cert with SHA1 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539 found at www.entrust.net Download roots does verify the chain, and is in my Windows/IE(7) and FF3.6 and Java(6u24) truststores out of the box, so if your /etc/ssl/certs was put together with the usual suspects (a la Casablanca) very likely it's in there. The #2 from graph.facebook.com and the root from digicert.com have the same public key and keyid so either one can verify the children (which (both) have AKI.keyid). I don't know why both forms exist and I don't see anything obvious on the Digicert website about it. The dates are different: the #2 is 20061001 to 20140726 while the true root is 20061110 to 2030; possibly digicert initially got cross-signed by entrust and then established their own root(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Failing to verify the certificate of one specific site
2011/10/21 Jakob Bohm jb-open...@wisemo.com: According to the Digicert CPS http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf, that DigiCert root is cross-certified by the Entrust root. Some trusted certificate bundles include only the Entrust root CA and will need the Entrust-signed cross intermediary certificate to validate, other trusted certificate bundles include the Digicert self-signed root for this key directly. It is expected from the standards and the behavior of other X.509 libraries that upon seeing the keyid of a known root, the library should stop following the chain and ignore any extra certificate provided by the entity being verified. So, the behavior I get with OpenSSL when using the Digicert root is non-conformant with X.509? The peer's certificate should have been verified when I provided the Digicert root? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Auto Reply: Re: Failing to verify the certificate of one specific site
I am out of the office on vacation until Tuesday 25th October. For urgent issues please contact Markus Flierl or Steven De Tar. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Auto Reply: Auto Reply: Re: Failing to verify the certificate of one specific site
I am out of the office on vacation until Tuesday 25th October. For urgent issues please contact Markus Flierl or Steven De Tar. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Failing to verify the certificate of one specific site
From: owner-openssl-us...@openssl.org On Behalf Of Lucas Clemente Vella Sent: Wednesday, 19 October, 2011 22:44 snip: connect to graph.facebook.com:443 using cafile=DigiCertHighAssuranceEVRootCA.crt gets rc=20 Then I found this directory in my system, /etc/ssl/certs, containing my installed CA roots, which I provided to OpenSSL, instead of the certificate file: and got rc=0 It seems to me that there is one certificate installed in /etc/ssl/certs, which is different from the on I was providing, that is being used to verify the host. If it is so, how can I know what certificate is being used? And why Firefox and Chrome both use the former certificate I provided, while OpenSSL is unable to use it for the same host? s_client shows that host is providing a chain which has at #2 Digicert High Assurance EV Root CA not actually a root but instead isssued by Entrust.net Secure Server Certification Authority. Such a cert with SHA1 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539 found at www.entrust.net Download roots does verify the chain, and is in my Windows/IE(7) and FF3.6 and Java(6u24) truststores out of the box, so if your /etc/ssl/certs was put together with the usual suspects (a la Casablanca) very likely it's in there. The #2 from graph.facebook.com and the root from digicert.com have the same public key and keyid so either one can verify the children (which (both) have AKI.keyid). I don't know why both forms exist and I don't see anything obvious on the Digicert website about it. The dates are different: the #2 is 20061001 to 20140726 while the true root is 20061110 to 2030; possibly digicert initially got cross-signed by entrust and then established their own root(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Failing to verify the certificate of one specific site
2011/10/9 Lucas Clemente Vella lve...@gmail.com: First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me. Now I wrote the C code using directly OpenSSL, and I get the same problem: #include stdio.h #include openssl/bio.h #include openssl/ssl.h #include openssl/err.h int main() { long ret; BIO * bio; SSL_CTX * ctx; SSL * ssl; X509 * cert; SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); ctx = SSL_CTX_new(TLSv1_client_method()); SSL_CTX_load_verify_locations(ctx, DigiCertHighAssuranceEVRootCA.crt, NULL); bio = BIO_new_ssl_connect(ctx); BIO_get_ssl(bio, ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(bio, graph.facebook.com:443); BIO_do_connect(bio); cert = SSL_get_peer_certificate(ssl); ret = SSL_get_verify_result(ssl); printf(Cert: %s\nRet %ld\n, cert-name, ret); X509_free(cert); BIO_free_all(bio); SSL_CTX_free(ctx); } By running it, I get: $ ssl_test Cert: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com Ret 20 which Ret 20 means, according to 'man verify', 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY where I would expect: 0 X509_V_OK Then I found this directory in my system, /etc/ssl/certs, containing my installed CA roots, which I provided to OpenSSL, instead of the certificate file: SSL_CTX_load_verify_locations(ctx, NULL, /etc/ssl/certs); By running again, I get Ret 0, meaning X509_V_OK and the host was verified. It seems to me that there is one certificate installed in /etc/ssl/certs, which is different from the on I was providing, that is being used to verify the host. If it is so, how can I know what certificate is being used? And why Firefox and Chrome both use the former certificate I provided, while OpenSSL is unable to use it for the same host? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Failing to verify the certificate of one specific site
First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me. I have an web server and I need to make a HTTPS request to the external server graph.facebook.com. It is plain in the Pyhton urllib2 module documentation that, while it will happily establish an HTTPS connection, it will not verify the server's certificate. So I was trying to use the ssl module to get the servers certificate verified. The problem is that the verification fails, and I have no clue of why. My browser is able to verify the server's certificate using the same root CA I provided to the ssl module, just type in https://graph.facebook.com/me;. This small code shows the problem: import socket, ssl s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.wrap_socket(s, ca_certs=DigiCertHighAssuranceEVRootCA.crt, cert_reqs=ssl.CERT_REQUIRED) ssl_sock.connect(('graph.facebook.com', 443)) Traceback (most recent call last): File ssl_test.py, line 4, in module ssl_sock.connect(('graph.facebook.com', 443)) File /usr/lib/python2.7/ssl.py, line 299, in connect self.do_handshake() File /usr/lib/python2.7/ssl.py, line 283, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If I try the same code against 'ev-root.digicert.com', which is the DigiCert test address for this certificate, it works and the host is correctly verified. So, do you have any clue on why the verification of this specific host fails even if I have the correct root CA? Any suggestions on how can I get more details on the problem? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org