Apologies. Either I'm an idiot or autocorrect is feeling amusing today. I meant https://gist.github.com/DomT4/f86618bdfe2f27c8d66a rather than https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a.
Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. -------- Forwarded Message -------- Subject: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report) Date: Sat, 18 Apr 2015 14:16:14 +0100 From: Dominyk Tiller <dominyktil...@gmail.com> To: openssl-dev@openssl.org Apologies that this is kinda badly written. Detailed bug reports aren't my forte. Feel free to ping back questions if detail isn't clear/useful/etc. OS X 10.10.3’s release changed some certs in the Keychain. There’s a full list of changes here: https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a This has caused some chaos with OpenSSL and LibreSSL, in things built against them, using a .pem generated from OS X’s Keychains. The biggest, most popular affected sites are the whole range of Google domains. Google cross-sign their GeoTrust root with an old Equifax root (Equifax Secure Certificate Authority) because a lot of the older clients don’t have the GeoTrust root on their system and would just error out. Have emailed with Adam Langley on the cert errors and essentially Google aren’t going to be able to stop that cross-signing any time soon. According to Adam most SSL clients should go through the cert chain of the domain and hit the GeoTrust cert and verify at that point, if the GeoTrust root exists in a .pem file OpenSSL can find and use, which does exist when generating a PEM from the system Keychains. It’s not supposed to carry on to the Equifax root, but it is, and this is causing breakage on OS X 10.10.3 onwards. This problem only exists in OpenSSL and LibreSSL as far as testing goes. It isn’t reproducible with Apple’s Security Framework, or GnuTLS. Interestingly, Apple have done something to their shipped OpenSSL 0.9.8x to fix the problem - If I build OpenSSL 0.9.8x from source and use it, failure, but if I use the one Apple installs the connection verifies and succeeds. Here’s hoping they’ve punted whatever those changes were upstream to you. This is the error you get: ================================================== —2015-04-10 16:58:58— https://google.com/ Resolving google.com… 216.58.210.46, 2a00:1450:4009:800::200e Connecting to google.com|216.58.210.46|:443… connected. ERROR: cannot verify google.com’s certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’: Unable to locally verify the issuer’s authority. To connect to google.com insecurely, use `—no-check-certificate’. ================================================== How to reproduce: * Install OpenSSL on OS X 10.10.3 or above. I have it installed to /usr/local/opt/openssl - With the sysconfdir in /usr/local/etc. * Generate a PEM file from OS X’s Security Keychain: * security find-certificate -a -p /Library/Keychains/System.keychain >> sys.pem * security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> sysroot.pem * cat sys.pem >> sysroot.pem * mv sysroot.pem /usr/local/etc/openssl * Download and install cURL: * Pass “—with-ssl=/path/to/openssl/dir” and “--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to configure. * Run “/path/to/your/installed/curl -I https://google.com” It reproduces with wget, mutt, various other tools. If you put the Equifax certificate back, and then rehash, you can make the connection. But the Equifax cert is old, and weak, and Apple aren’t likely to return it to the Keychain. So this problem connecting to Google will persist until the reason for not stopping at and verifying on the GeoTrust root are narrowed down and hopefully fixed. Mozilla are also pressing ahead with removing that Equifax root from their certs, so it’s not a simple case of working around it by switching PEM. -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
