Failing to verify the certificate of one specific site
First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me. I have an web server and I need to make a HTTPS request to the external server graph.facebook.com. It is plain in the Pyhton urllib2 module documentation that, while it will happily establish an HTTPS connection, it will not verify the server's certificate. So I was trying to use the ssl module to get the servers certificate verified. The problem is that the verification fails, and I have no clue of why. My browser is able to verify the server's certificate using the same root CA I provided to the ssl module, just type in https://graph.facebook.com/me;. This small code shows the problem: import socket, ssl s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.wrap_socket(s, ca_certs=DigiCertHighAssuranceEVRootCA.crt, cert_reqs=ssl.CERT_REQUIRED) ssl_sock.connect(('graph.facebook.com', 443)) Traceback (most recent call last): File ssl_test.py, line 4, in module ssl_sock.connect(('graph.facebook.com', 443)) File /usr/lib/python2.7/ssl.py, line 299, in connect self.do_handshake() File /usr/lib/python2.7/ssl.py, line 283, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If I try the same code against 'ev-root.digicert.com', which is the DigiCert test address for this certificate, it works and the host is correctly verified. So, do you have any clue on why the verification of this specific host fails even if I have the correct root CA? Any suggestions on how can I get more details on the problem? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: starting point for learning to use OpenSSL
I found that the examples that Eric rescorla wrote to be very helpful. Sent from my iPad On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com wrote: From: Mithun Kumar Sent: Friday, October 07, 2011 5:54 PM Hello All, I want to use OpenSSL for the application that i am writing. Could someone direct me what is the best starting point. I tried Google but failed to find any examples. PS: I hope i am posting on the right forum. -Thanks mithun http://shop.oreilly.com/product/9780596002701.do
Re: starting point for learning to use OpenSSL
thanks John, can you please send me the link? -mithun On Sun, Oct 9, 2011 at 9:23 AM, John Zavgren jzavg...@gmail.com wrote: I found that the examples that Eric rescorla wrote to be very helpful. Sent from my iPad On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com wrote: *From:* Mithun Kumar *Sent:* Friday, October 07, 2011 5:54 PM Hello All, I want to use OpenSSL for the application that i am writing. Could someone direct me what is the best starting point. I tried Google but failed to find any examples. PS: I hope i am posting on the right forum. -Thanks mithun http://shop.oreilly.com/product/9780596002701.do http://shop.oreilly.com/product/9780596002701.do
Re: starting point for learning to use OpenSSL
You can find Eric Rescorla's SSL examples here: http://www.rtfm.com/openssl-examples/ He mentions his book on that page as well, which I found very useful for understanding how SSL works. -Scott. On Mon, Oct 10, 2011 at 12:48 AM, Mithun Kumar mithunsi...@gmail.comwrote: thanks John, can you please send me the link? -mithun On Sun, Oct 9, 2011 at 9:23 AM, John Zavgren jzavg...@gmail.com wrote: I found that the examples that Eric rescorla wrote to be very helpful. Sent from my iPad On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com wrote: *From:* Mithun Kumar *Sent:* Friday, October 07, 2011 5:54 PM Hello All, I want to use OpenSSL for the application that i am writing. Could someone direct me what is the best starting point. I tried Google but failed to find any examples. PS: I hope i am posting on the right forum. -Thanks mithun http://shop.oreilly.com/product/9780596002701.do http://shop.oreilly.com/product/9780596002701.do
Cross-process session cache
Hello, I'm working with a fairly straightforward SSL server, which forks to run every connection in its own process. I'm looking to add session caching to help with performance. Because each connection is in its own process, I can't use OpenSSL's builtin session caching. I don't really see a standard library in wide use for cross-process session caching. The advice I have come across is to take a look at the code from Apache, and see what can be used from that. Is there some fairly easy-to-adapt library code that anybody has used? Or is looking around at other implementations of a session cache still the best route? Any advice is appreciated, Scott.