Failing to verify the certificate of one specific site

2011-10-09 Thread Lucas Clemente Vella 
First of all, I am not a direct user of the OpenSSL library, but I am
using it via Python 2.7 built-in module ssl, which in turn uses
OpenSSL. Since my problem is SSL specific, I thought people here would
be more apt to help me.

I have an web server and I need to make a HTTPS request to the
external server graph.facebook.com. It is plain in the Pyhton urllib2
module documentation that, while it will happily establish an HTTPS
connection, it will not verify the server's certificate. So I was
trying to use the ssl module to get the servers certificate verified.

The problem is that the verification fails, and I have no clue of why.
My browser is able to verify the server's certificate using the same
root CA I provided to the ssl module, just type in
https://graph.facebook.com/me;. This small code shows the problem:

import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs=DigiCertHighAssuranceEVRootCA.crt,
cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('graph.facebook.com', 443))

Traceback (most recent call last):
  File ssl_test.py, line 4, in module
ssl_sock.connect(('graph.facebook.com', 443))
  File /usr/lib/python2.7/ssl.py, line 299, in connect
self.do_handshake()
  File /usr/lib/python2.7/ssl.py, line 283, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If I try the same code against 'ev-root.digicert.com', which is the
DigiCert test address for this certificate, it works and the host is
correctly verified.

So, do you have any clue on why the verification of this specific host
fails even if I have the correct root CA? Any suggestions on how can I
get more details on the problem?

-- 
Lucas Clemente Vella
lve...@gmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: starting point for learning to use OpenSSL

2011-10-09 Thread John Zavgren 
I found that the examples that Eric rescorla wrote to be very helpful.


Sent from my iPad

On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com wrote:

 From: Mithun Kumar
 Sent: Friday, October 07, 2011 5:54 PM
 
 Hello All,
 
 I want to use OpenSSL for the application that i am writing. Could someone 
 direct me what is the best starting point. I tried Google but failed to find 
 any examples.
 
 PS: I hope i am posting on the right forum.
 
 -Thanks
  mithun 
  
 http://shop.oreilly.com/product/9780596002701.do

Re: starting point for learning to use OpenSSL

2011-10-09 Thread Mithun Kumar 
thanks John,

can you please send me the link?

-mithun




On Sun, Oct 9, 2011 at 9:23 AM, John Zavgren jzavg...@gmail.com wrote:

 I found that the examples that Eric rescorla wrote to be very helpful.


 Sent from my iPad

 On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com
 wrote:

  *From:* Mithun Kumar
 *Sent:* Friday, October 07, 2011 5:54 PM

  Hello All,

 I want to use OpenSSL for the application that i am writing. Could someone
 direct me what is the best starting point. I tried Google but failed to find
 any examples.

 PS: I hope i am posting on the right forum.

 -Thanks
  mithun


  http://shop.oreilly.com/product/9780596002701.do
 http://shop.oreilly.com/product/9780596002701.do

Re: starting point for learning to use OpenSSL

2011-10-09 Thread Scott Gifford 
You can find Eric Rescorla's SSL examples here:

http://www.rtfm.com/openssl-examples/


He mentions his book on that page as well, which I found very useful for
understanding how SSL works.

-Scott.

On Mon, Oct 10, 2011 at 12:48 AM, Mithun Kumar mithunsi...@gmail.comwrote:

 thanks John,

 can you please send me the link?

 -mithun





 On Sun, Oct 9, 2011 at 9:23 AM, John Zavgren jzavg...@gmail.com wrote:

 I found that the examples that Eric rescorla wrote to be very helpful.


 Sent from my iPad

 On Oct 8, 2011, at 9:58 PM, Jeremy Farrell jfarr...@pillardata.com
 wrote:

  *From:* Mithun Kumar
 *Sent:* Friday, October 07, 2011 5:54 PM

  Hello All,

 I want to use OpenSSL for the application that i am writing. Could someone
 direct me what is the best starting point. I tried Google but failed to find
 any examples.

 PS: I hope i am posting on the right forum.

 -Thanks
  mithun


  http://shop.oreilly.com/product/9780596002701.do
 http://shop.oreilly.com/product/9780596002701.do

Cross-process session cache

2011-10-09 Thread Scott Gifford 
Hello,

I'm working with a fairly straightforward SSL server, which forks to run
every connection in its own process.  I'm looking to add session caching to
help with performance.  Because each connection is in its own process, I
can't use OpenSSL's builtin session caching.

I don't really see a standard library in wide use for cross-process session
caching.  The advice I have come across is to take a look at the code from
Apache, and see what can be used from that.

Is there some fairly easy-to-adapt library code that anybody has used?
 Or is looking around at other implementations of a session cache still the
best route?

Any advice is appreciated,

Scott.