Re: Failing to verify the certificate of one specific site

2011-10-21 Thread Lucas Clemente Vella 
2011/10/21 Jakob Bohm jb-open...@wisemo.com:
 According to the Digicert CPS
 http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf,
 that DigiCert root is cross-certified by the Entrust root.  Some trusted
 certificate bundles include only the Entrust root CA and will need the
 Entrust-signed cross intermediary certificate to validate, other trusted
 certificate bundles include the Digicert self-signed root for this key
 directly.

 It is expected from the standards and the behavior of other X.509 libraries
 that
 upon seeing the keyid of a known root, the library should stop following
 the
 chain and ignore any extra certificate provided by the entity being
 verified.

So, the behavior I get with OpenSSL when using the Digicert root is
non-conformant with X.509? The peer's certificate should have been
verified when I provided the Digicert root?

-- 
Lucas Clemente Vella
lve...@gmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Failing to verify the certificate of one specific site

2011-10-19 Thread Lucas Clemente Vella 
2011/10/9 Lucas Clemente Vella lve...@gmail.com:
 First of all, I am not a direct user of the OpenSSL library, but I am
 using it via Python 2.7 built-in module ssl, which in turn uses
 OpenSSL. Since my problem is SSL specific, I thought people here would
 be more apt to help me.

Now I wrote the C code using directly OpenSSL, and I get the same problem:

#include stdio.h
#include openssl/bio.h
#include openssl/ssl.h
#include openssl/err.h

int main()
{
  long ret;
  BIO * bio;
  SSL_CTX * ctx;
  SSL * ssl;
  X509 * cert;

  SSL_library_init();
  SSL_load_error_strings();
  ERR_load_BIO_strings();

  ctx = SSL_CTX_new(TLSv1_client_method());
  SSL_CTX_load_verify_locations(ctx, DigiCertHighAssuranceEVRootCA.crt, NULL);

  bio = BIO_new_ssl_connect(ctx);
  BIO_get_ssl(bio, ssl);
  SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

  BIO_set_conn_hostname(bio, graph.facebook.com:443);
  BIO_do_connect(bio);

  cert = SSL_get_peer_certificate(ssl);
  ret = SSL_get_verify_result(ssl);

  printf(Cert: %s\nRet %ld\n, cert-name, ret);

  X509_free(cert);
  BIO_free_all(bio);
  SSL_CTX_free(ctx);
}

By running it, I get:
$ ssl_test
Cert: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
Ret 20

which Ret 20 means, according to 'man verify',
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

where I would expect:
0 X509_V_OK

Then I found this directory in my system, /etc/ssl/certs, containing
my installed CA roots, which I provided to OpenSSL, instead of the
certificate file:
SSL_CTX_load_verify_locations(ctx, NULL, /etc/ssl/certs);

By running again, I get Ret 0, meaning X509_V_OK and the host was verified.

It seems to me that there is one certificate installed in
/etc/ssl/certs, which is different from the on I was providing, that
is being used to verify the host. If it is so, how can I know what
certificate is being used? And why Firefox and Chrome both use the
former certificate I provided, while OpenSSL is unable to use it for
the same host?

-- 
Lucas Clemente Vella
lve...@gmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Failing to verify the certificate of one specific site

2011-10-09 Thread Lucas Clemente Vella 
First of all, I am not a direct user of the OpenSSL library, but I am
using it via Python 2.7 built-in module ssl, which in turn uses
OpenSSL. Since my problem is SSL specific, I thought people here would
be more apt to help me.

I have an web server and I need to make a HTTPS request to the
external server graph.facebook.com. It is plain in the Pyhton urllib2
module documentation that, while it will happily establish an HTTPS
connection, it will not verify the server's certificate. So I was
trying to use the ssl module to get the servers certificate verified.

The problem is that the verification fails, and I have no clue of why.
My browser is able to verify the server's certificate using the same
root CA I provided to the ssl module, just type in
https://graph.facebook.com/me;. This small code shows the problem:

import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs=DigiCertHighAssuranceEVRootCA.crt,
cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('graph.facebook.com', 443))

Traceback (most recent call last):
  File ssl_test.py, line 4, in module
ssl_sock.connect(('graph.facebook.com', 443))
  File /usr/lib/python2.7/ssl.py, line 299, in connect
self.do_handshake()
  File /usr/lib/python2.7/ssl.py, line 283, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If I try the same code against 'ev-root.digicert.com', which is the
DigiCert test address for this certificate, it works and the host is
correctly verified.

So, do you have any clue on why the verification of this specific host
fails even if I have the correct root CA? Any suggestions on how can I
get more details on the problem?

-- 
Lucas Clemente Vella
lve...@gmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org