On Thu, 18 Oct 2018 08:35:05 +0100
Az <azimut...@danwin1210.me> wrote:
> On Tuesday 9 October 2018 16:16,
> Nick Lord <nick.l...@t-online.de> put forth the proposition:
> > After a lengthy pause I've now installed get_iplayer 3.17 on my
> > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when
> > attempting to download a programme I repeatedly get the message:
> >
> > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate
> > verify failed)
> >
> > and the download fails. Trying to refresh the pvr cache brings a
> > similar message:
> >
> > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL
> > routines:ssl3_get_server_certificate:certificate verify failed
> >
> > Can anyone tell me what I'm missing?
>
> I just got a bunch of these.
>
> ERROR: Response: 500 Can't connect to
> vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed)
>
> --
> Az
>
> _______________________________________________
> get_iplayer mailing list
> get_iplayer@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/get_iplayer
Try
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect
bbc.co.uk:443
and
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect
vod-dash-uk-live.bbcfmt.hs.llnwd.net:443
You should ultimately see "Verify return code: 0 (ok)".
Anything else indicates your CA certificates are out of date. I've attached an
OpenSSL output showing what you should see if your system has an up to date CA
bundle.
Perl LWP calls in GiP will be using the system CA bundle and will encounter the
same issues as your OpenSSL tests. You can manually bodge Perl to skip the cert
verification by setting
export PERL_LWP_SSL_VERIFY_HOSTNAME=0
However, this is widely regarded as a bad move - any subsequent connection will
never actually be verified as safe until that env variable is reset.
I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the
Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both
that VOD endpoint and the main bbc.co.uk site OK.
I don't use GiP on Linux though so can't check atm - and OpenSUSE's method for
updating certs (and where they're stored in the filesystem) will differ from
CentOS.
If you haven't already got it installed, try installing ca-certificates-mozilla:
# zypper install ca-certificates-mozilla
If that doesn't work, you'll need to set about manually updating the CA bundle.
I usually recommend the curl.haxx.se bundle -
https://curl.haxx.se/docs/sslcerts.html
I don't use OpenSUSE Leap, but there's plenty of discussions about CA bundle
location, update method etc...
https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it
https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html
https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/
https://github.com/openSUSE/ca-certificates (README in
/usr/share/doc/packages/ca-certificates/)
https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate&p=38033#post38033
CA bundles are a pain but important to get right. Easy to get yourself tied up
in knots, so if you make any changes back up the entire /etc/pki/tls folder
tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA files before
you do this.
Be mindful of symlinks and recreate them where necessary (ls -a to see them.)
Usually they're there for legacy purposes, certain files may be referenced by
specific apps/libraries, and certs are sometimes not 'picked up' unless they go
in certain anchor folders, etc.
If you use update-ca-certificates (recommended I think!) try starting by
grabbing the latest CA bundle, putting it into the right folder and let the
system do its thing.
glhf,
Chris
# openssl s_client -CAfile /etc/ssl/certs/ca-bundle.crt -connect
vod-dash-uk-live.bbcfmt.hs.llnwd.net:443
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 85281, ST = Arizona, L = Tempe, street = "222
South Mill Avenue, Suite 800", O = "Limelight Networks, Inc.", OU = Unified
Communications, CN = *.bbcfmt.hs.llnwd.net
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=85281/ST=Arizona/L=Tempe/street=222 South Mill Avenue,
Suite 800/O=Limelight Networks, Inc./OU=Unified
Communications/CN=*.bbcfmt.hs.llnwd.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG8jCCBdqgAwIBAgIRAIVClP6h/17mlKYG6L6nkXYwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNzE4MDAwMDAwWhcNMTkwNzE4MjM1OTU5WjCBzjELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTg1MjgxMRAwDgYDVQQIEwdBcml6b25hMQ4wDAYD
VQQHEwVUZW1wZTEpMCcGA1UECRMgMjIyIFNvdXRoIE1pbGwgQXZlbnVlLCBTdWl0
ZSA4MDAxITAfBgNVBAoTGExpbWVsaWdodCBOZXR3b3JrcywgSW5jLjEfMB0GA1UE
CxMWVW5pZmllZCBDb21tdW5pY2F0aW9uczEeMBwGA1UEAwwVKi5iYmNmbXQuaHMu
bGxud2QubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv067eQ3v
jFkOCOrd0fozSP/qlT4oBmfnF7VgPlJGLAsH6+MLtQg2yU3aBYCYSVPOIvEM4OCm
dN/XB3xTpzayOjFnh8alLTyqVk3MfE0e7aJhMziXuugJczyvwXdVe9+W9eG7N7td
QDKL1to1OdRZAW9CHB5xRQKHJFe+tZs6YAKbnX180aIZb4ea3RHAMeuyCS0D2MVC
bbpHgcABAwwU553vGHH5lnhH+BesAY0d0nW6YrdPc6T/s5afK92TTd/bTHQ4pjon
Ac9O2gkltOjvoPOMtB2Wrqv31Ho/ecneW6cDWmuI7QhZCJNYBVQaxTQOjaj3cKxt
JZ1lIDWUcsvATQIDAQABo4IC/zCCAvswHwYDVR0jBBgwFoAUmvMr2s+tT7YvuypI
SCoStxtCwSQwHQYDVR0OBBYEFAVPmn+BHrn/jmu9ZgRh9+D/95P+MA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1o
dHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0fBFMw
UTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBT3JnYW5p
emF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBiwYIKwYBBQUHAQEE
fzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9S
U0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wNgYDVR0RBC8wLYIVKi5i
YmNmbXQuaHMubGxud2QubmV0ghQqLmJiY2ZtdC5zLmxsbndpLm5ldDCCAQYGCisG
AQQB1nkCBAIEgfcEgfQA8gB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABZK8FlKwAAAQDAEgwRgIhANxWPiYHHra5y61ZRK6pBW/pPwEAc+REnv6O
tr5FEKCtAiEAvOmmEfBjqt7+0oir3CsJgIibOOnN/1IiqcjmNtvEZNQAdwB0ftqD
Ma0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWSvBZTyAAAEAwBIMEYCIQCr
cTbwGX2jDOzQ1DAKbB7ILQsSgoBFZpKketCivt2wuAIhAJ3IvYZzWAYE6UiCIaZa
0VNIS6z50/G1jEhUPsTFNpsDMA0GCSqGSIb3DQEBCwUAA4IBAQATfVDpJfZwo43O
obNvQMg9c89ES9sRBfHHPD6cVQ6NhnR+S01Gj1Edu75G7DCV2DAEypJ7ZwwtjSrC
aD7eoEcHCHqVEQss7h4gdMcmOjBHcqkPId3xUGuzHVQCVIKMFRY/ncPIOd9RCNDO
SITbSBASRXLz15Bm6k5N3QmCr8of8GhqmVqRSlkm2Oz0cIe6kgGo0YPOC3BCCNJK
6KbR4YlBeCPQeJrDaaXICcRl3iX9cxHsddMG0GCLcqlCvaJzVS6Ifx2wFody2zCL
gsI6LQck69cXIi9GzpMwoKTh9pkEHSGjzXmhn5e55b90Iaf4xm8CKXGdylTSJDGy
YWNIV2Rd
-----END CERTIFICATE-----
subject=/C=US/postalCode=85281/ST=Arizona/L=Tempe/street=222 South Mill Avenue,
Suite 800/O=Limelight Networks, Inc./OU=Unified
Communications/CN=*.bbcfmt.hs.llnwd.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4014 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7B76595E2CF83FA115D4CB0191AF7A15AE52FDA29828FD7EC2596EBFD9C60F7A
Session-ID-ctx:
Master-Key:
876A2385C58A4468638F20D78A3E1F9C6DC51C2CD3EA73A44A9CC9D7AEA295B03F8C3D24A06DA8144BD8142E6F9F6E1B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 90 b1 b0 aa 24 07 41 2f-1d 04 6d 53 eb ca 37 01 ....$.A/..mS..7.
0010 - fe b3 e7 b4 b6 77 02 d9-3a 7b 04 c0 ff db 79 a5 .....w..:{....y.
0020 - 11 54 5d 72 b5 6a 7e 13-17 b9 2b 16 92 10 ce 9a .T]r.j~...+.....
0030 - a6 0d 66 44 42 78 cb c1-a0 ec 71 f9 25 4f d5 7f ..fDBx....q.%O..
0040 - e4 c6 dc 66 78 27 3d ac-01 be 30 79 f2 08 70 55 ...fx'=...0y..pU
0050 - 08 78 01 ae 8a 18 22 ca-3d 91 6d d9 18 bc db 0e .x....".=.m.....
0060 - fd 4c 58 6f b5 35 b0 83-bd a1 08 7c dd cc 27 17 .LXo.5.....|..'.
0070 - 50 c1 a1 d2 a9 56 0a f2-af 64 59 9c 1f 29 68 80 P....V...dY..)h.
0080 - 8d 19 10 31 e3 ab 68 ec-86 28 99 06 e0 22 6e 4f ...1..h..(..."nO
0090 - 0b 98 3a f2 95 44 1c ed-b6 3f 21 c0 08 8e 71 30 ..:..D...?!...q0
00a0 - 3b 90 e4 96 f4 c2 c4 ae-76 1f ed ed dc ea ab a5 ;.......v.......
Start Time: 1539868437
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
# openssl s_client -CAfile /etc/ssl/certs/ca-bundle.crt -connect bbc.co.uk:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation
CA - SHA256 - G2
verify return:1
depth=0 C = GB, ST = London, L = London, O = British Broadcasting Corporation,
CN = www.bbc.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=British Broadcasting Corporation/CN=www.bbc.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256
- G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256
- G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGnDCCBYSgAwIBAgIMIrGYrFe1HwATfmJWMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTgwNzA1MDkzNjA0WhcNMTkwNzA2MDkzNjA0WjBwMQswCQYDVQQGEwJH
QjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xKTAnBgNVBAoTIEJy
aXRpc2ggQnJvYWRjYXN0aW5nIENvcnBvcmF0aW9uMRQwEgYDVQQDEwt3d3cuYmJj
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKOCQlU6gXxwe1zD
cUcz+yGH2nFCnY1/R26gA4W6K5jv5nPqnOEazLqWWrfopVDfP4aFZ12gIaDIHFeK
WIkEX3LDzSs+OxAinrO51lvEhW0ArbzxbW5lSIYgl2sZIu6It/Y970QCdqwAYyA9
m+YAa8owB0jMfD9KO3nWpGf9DHZoijYuyROebz0547GES0vina3YwPwSddOiQ4Wd
1AxdYxBrkicPB+KeNcSok0jPkG4+rcnNkoI07KcahInk8P97+6OV6ubs4xomzZAh
FzAYwdEnt0h1VZapm5f4tlmE8Cfb7RsHR1RX5NE76FAQ25352Y3N2u88ogOg51qy
71qvd/ECAwEAAaOCAz4wggM6MA4GA1UdDwEB/wQEAwIFoDCBoAYIKwYBBQUHAQEE
gZMwgZAwTQYIKwYBBQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20v
Y2FjZXJ0L2dzb3JnYW5pemF0aW9udmFsc2hhMmcycjEuY3J0MD8GCCsGAQUFBzAB
hjNodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nvcmdhbml6YXRpb252YWxz
aGEyZzIwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcCARYmaHR0
cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQICMAkG
A1UdEwQCMAAwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5nbG9iYWxzaWdu
LmNvbS9ncy9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMi5jcmwwcAYDVR0RBGkwZ4IL
d3d3LmJiYy5jb22CDWZpZy5iYmMuY28udWuCCWJiYy5jby51a4INd3d3LmJiYy5j
by51a4IObmV3cy5iYmMuY28udWuCC20uYmJjLmNvLnVrggltLmJiYy5jb22CB2Ji
Yy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQQ
LrZXpavrEyKseR11wgA783UogDAfBgNVHSMEGDAWgBSW3mHxvRwWKVMcwMx9O4MA
QOYafDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AId1v+dZfPiMQ5lfvfNu/1aN
R1Y2/0q1YMG06v9eoIMPAAABZGnMfmoAAAQDAEgwRgIhAKdT6020S3L7piTfw1Mj
w9Lu7SDzvzdz7OnP4oNyKwjIAiEA6ABavioXv0dS1aH5yngQKmZ82eexc5ssDFVH
sC8zTloAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWRpzH6p
AAAEAwBGMEQCIBKPHEbnhMAs/j0PpghHupKkt9LvQSYFP3fWzbzd5n8/AiAY6lsZ
LQGwjqCGEAmB6shlHHnggMr31a50Wzd6vCrF/jANBgkqhkiG9w0BAQsFAAOCAQEA
qgwi+REFbM0nRO429l4UQN5xnpf95G3dFUiUEoFaPKE0zP9o/sGzxXkltUtsyttp
4LQr5BH3n1pJnNl3wMk8hz0O8k3MDaKpCHbQW4iaOFpdy/hHsSg8nygvUoHhKefe
cpHXtDHrUh1kTg2gFG0mabutar2+oEqRRAwxWIwrgZwynyQVWYEp96deAMbSBgtS
Hd/0c65dlbiK8MPhR88H7i03gJEPj4vEUJp9X8N1arBYQTRFPs/7bVblvhY7g03S
J+k3TBG221H4c3ahePIfp7IzijJhdb7jZ21HHMSbJu4LN+C7Z3QuCQDnCJIGO3lr
YT7jN6sjN7FQXGEk+P0UNg==
-----END CERTIFICATE-----
subject=/C=GB/ST=London/L=London/O=British Broadcasting
Corporation/CN=www.bbc.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3486 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 27A48CCB9ED28B79CA697EAD1C2AEB3643E442B2BBAF4764814FDEC27AD46173
Session-ID-ctx:
Master-Key:
EF3A983E74C0AE6073598F3DA45070D40F29DEB7ABBE56035545607508617B77275AE009DA15FAE1534DC98628E786EA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 8e 2c 99 39 81 17 86 23-9f da 80 54 ad b7 83 1b .,.9...#...T....
0010 - 58 f8 3e fd 15 f3 dd 57-bd 89 22 a2 df 4c 1b f4 X.>....W.."..L..
0020 - b2 49 aa 9c 91 71 8a f1-dc 07 04 26 53 16 16 52 .I...q.....&S..R
0030 - 43 26 0c 60 17 1e b8 2b-ef f5 8a 14 7c 1d 5e bf C&.`...+....|.^.
0040 - 7b cf 9d 97 ff 2f f6 db-1e 17 b4 5d 73 2a 32 12 {..../.....]s*2.
0050 - 43 30 7b 66 08 72 82 22-53 11 de a0 a0 17 87 41 C0{f.r."S......A
0060 - 68 c3 c4 2c 7d fa 88 11-fd a8 de 9a 06 87 63 e7 h..,}.........c.
0070 - 4a 0f 5e be 1a 62 2d 5a-e8 56 b5 17 c4 d3 c0 49 J.^..b-Z.V.....I
0080 - dd fd df 97 4f 4d a5 eb-b2 20 82 62 09 80 09 c8 ....OM... .b....
0090 - 36 3d c3 28 7d 18 e5 4e-fb 80 92 f5 6c 41 eb 4c 6=.(}..N....lA.L
Start Time: 1539868481
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
_______________________________________________
get_iplayer mailing list
get_iplayer@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/get_iplayer
