Re: Openssl, serf and curl

Thu, 06 Jan 2022 06:02:43 -0800 

Dear All,

On Wed, Jan 05, 2022 at 05:03:44PM +0100, Arrigo Marchiori wrote:

> Dear All,
> 
> one more status update.
> 
> On Sat, Dec 25, 2021 at 09:57:03PM +0100, Arrigo Marchiori wrote:
> 
> > Dear All,
> > 
> > first of all: merry Christmas!
> > 
> > On Thu, Dec 09, 2021 at 06:00:58PM +0000, Pedro Lino wrote:
> > 
> > > Hi Matthias
> > > 
> > > > On 12/09/2021 3:20 PM Matthias Seidel <matthias.sei...@hamburg.de> 
> > > > wrote:
> > > 
> > > > Is this a real machine or a VM?
> > > 
> > > It is a real machine
> > >  
> > > > I ask, because I have seen the Update Feed fail on Ubuntu in a VM when
> > > > it definitely worked on my Laptop.
> > > 
> > > There were a lot of errors during unpack, as I said. 
> > 
> > What kind of errors? Maybe permission issues?
> > I hope I will eventually get a trunk build right for everyone...
> > 
> > By the way the problem _under Linux_ may or may not be due to
> > TLS... in fact the error message is "Device or resource busy". There
> > is something _inside_ serf that is failing; I am not sure it is a
> > network protocol issue.
> > 
> > I am looking into this issue in my available time.
> 
> It's true that the returned value (16) corresponds to "Device or
> resource busy"... but it _also_ corresponds to
> SERF_SSL_CERT_UNKNOWN_FAILURE ! And _this_ is the error!
> 
> This error is raised during the verification of the SSL certificate
> chain.  We are in method SerfSession::verifySerfCertificateChain().
> Apparently, we have a certificate with subject "CN=*.apache.org" and
> we are asking our certificate container if it "has" and "trusts" such
> certificate for URL ooo-updates.apache.org.
> 
> The call (simply described) is:
> CertificateContainer::hasCertificate("ooo-updates.apache.org",
>                                      "*.apache.org")
> 
> Surprisingly (to me at least), this returns
> security::CertificateContainerStatus_UNTRUSTED
> 
> This breaks the update request process.

The culprit is the nss library.  Our method
SecurityEnvironment_NssImpl::verifyCertificate calls
CERT_PKIXVerifyCert() that returns failure. The reason is error -8172,
"Peer's certificate issuer has been marked as not trusted by the user."

Work is still in progress...
-- 
Arrigo

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to