Hi,
I am running into troubles connecting to this URL with tools using the
openssl library bundled in /usr/sfw:
https://consumer-help-nl--stg.custhelp.com/cgi-bin/consumer_help_nl.cfg/php/enduser/cci/rss_view_display.php
This URL is publicly accessible so feel free to try it out yourself.
When I do with Firefox, everything seems to work fine and clicking the
padlock shows me this certificate hierarchy:
+ AddTrust External CA Root
+ UTN - DATACorp SGC
+ *.custhelp.com
Now I tried accessing the exact same URL with command line tools. First with
curl:
$ ldd /usr/local/bin/curl
libcurl.so.3 => /usr/local/lib/libcurl.so.3
libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libz.so.1 => /usr/lib/libz.so.1
libc.so.1 => /usr/lib/libc.so.1
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libmp.so.2 => /lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
/platform/SUNW,Sun-Fire-V240/lib/libmd5_psr.so.1
$ /usr/local/bin/curl --cacert cacert.pem -v '
https://consumer-help-nl--stg.custhelp.com/cgi-bin/consumer_help_nl.cfg/php/enduser/cci/rss_view_display.php?num=5'
>/dev/null
* About to connect() to consumer-help-nl--stg.custhelp.com port 443
* Trying 81.110.142.41... * connected
* Connected to consumer-help-nl--stg.custhelp.com (81.110.142.41) port 443
* successfully set certificate verify locations:
* CAfile: cacert.pem
CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
then with openssl s_client:
$ /usr/sfw/bin/openssl s_client -CAfile cacert.pem -host
consumer-help-nl--stg.custhelp.com -port 443
CONNECTED(00000004)
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify error:num=24:invalid CA certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued through
RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued through
RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
---
No client certificate CA names sent
---
SSL handshake has read 3808 bytes and written 315 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
ABA9D8BEDC78C1E286A580AC374B4D7A8706D8501A5B07F959FFD1BE0CC4B268
Session-ID-ctx:
Master-Key:
939AD7F3B0E71F90035DF1F044191C46F80EBD94D8E644860D9333418AA6E713D327E8915EABC96A9CCF4B35D03F3E0E
Key-Arg : None
Start Time: 1217935847
Timeout : 300 (sec)
Verify return code: 24 (invalid CA certificate)
---
^C
Not only both tools fail to validate the server's certificate but the
certificate chain reported by openssl does not look right as it reports that
the root certificate is signed by yet another certificate
(UTN-USERFirst-Hardware).
I've tried with another openssl library that I got on sunfreeware.com and
got different results:
$ export LD_LIBRARY_PATH=/usr/local/ssl/lib
$ ldd /usr/local/bin/curl
libcurl.so.3 => /usr/local/lib/libcurl.so.3
libssl.so.0.9.7 => /usr/local/ssl/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/local/ssl/lib/libcrypto.so.0.9.7
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libz.so.1 => /usr/lib/libz.so.1
libc.so.1 => /usr/lib/libc.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libdl.so.1 => /lib/libdl.so.1
libmp.so.2 => /lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
/platform/SUNW,Sun-Fire-V240/lib/libmd5_psr.so.1
$ /usr/local/bin/curl --cacert cacert.pem -v '
https://consumer-help-nl--stg.custhelp.com/cgi-bin/consumer_help_nl.cfg/php/enduser/cci/rss_view_display.php?num=5'
>/dev/null
* About to connect() to consumer-help-nl--stg.custhelp.com port 443
* Trying 81.110.142.41... * connected
* Connected to consumer-help-nl--stg.custhelp.com (81.110.142.41) port 443
* successfully set certificate verify locations:
* CAfile: cacert.pem
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: /C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued
through RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
* start date: 2007-10-09 00:00:00 GMT
* expire date: 2010-10-08 23:59:59 GMT
* common name: *.custhelp.com (matched)
* issuer: /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
* SSL certificate verify ok.
> GET
/cgi-bin/consumer_help_nl.cfg/php/enduser/cci/rss_view_display.php?num=5
HTTP/1.1
User-Agent: curl/7.12.2 (sparc-sun-solaris2.10) libcurl/7.12.2
OpenSSL/0.9.7g zlib/1.1.4
Host: consumer-help-nl--stg.custhelp.com
Pragma: no-cache
Accept: */*
< HTTP/1.1 200 OK
< Date: Tue, 05 Aug 2008 11:23:19 GMT
< Server: Apache
< P3P: policyref="
http://consumer-help-nl--stg.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO
CURa ADMa DEVa OUR BUS IND UNI COM NAV"
< Vary: Accept-Encoding,User-Agent
< RNT-Time: D=147729 t=1217935399763734
< RNT-Machine: 06
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 3039 0 3039 0 0 9116 0 --:--:-- --:--:-- --:--:--
697k
* Closing connection #0
curl manages to validate the certificate with this openssl library. Now with
openssl s_client:
$ /usr/local/ssl/bin/openssl s_client -CAfile cacert.pem -host
consumer-help-nl--stg.custhelp.com -port 443
CONNECTED(00000004)
depth=4 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify return:1
depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
verify return:1
depth=0 /C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued through
RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued through
RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=MT/L=Bozeman/O=RightNow Technologies/OU=Issued through
RightNow Technologies E-PKI Manager/OU=Comodo SGC SSL Wildcard/CN=*.
custhelp.com
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN - DATACorp SGC
---
No client certificate CA names sent
---
SSL handshake has read 3824 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
ABA9D8BEDC78C2CD86A580AC374B4BAD8706D8501A5B07F959FFD1BE0CC4B342
Session-ID-ctx:
Master-Key:
848771D8C0A8F9523FB7EFCEDACCFBA3A1620521BFDA7BBC1DE66E7B2C277D8BC20F6B2EF9864C59DE41E9FDD98545F8
Key-Arg : None
Start Time: 1217935569
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
It also manages to validate the certificate chain but it does no look like
the one Firefox reports. I had to put the AddTrust External CA Root and the
UTN-USERFirst-Hardware (I got it from there: https://www.usertrust.com/)
ones in the cacert.pem file.
Now why is the /usr/sfw version not working and why does the working version
does not show the same certificate chainas Firefox ? I mean how can the
AddTrust External CA Root certificate be signed by the
UTN-USERFirst-Hardware certificate which is itself signed by the AddTrust
External CA Root certificate ?
Thanks for your help.
Ludovic
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/crypto-discuss/attachments/20080807/716415c3/attachment.html>
