Re: Failing to verify the certificate of one specific site
2011/10/21 Jakob Bohm jb-open...@wisemo.com: According to the Digicert CPS http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf, that DigiCert root is cross-certified by the Entrust root. Some trusted certificate bundles include only the Entrust root CA and will need the Entrust-signed cross intermediary certificate to validate, other trusted certificate bundles include the Digicert self-signed root for this key directly. It is expected from the standards and the behavior of other X.509 libraries that upon seeing the keyid of a known root, the library should stop following the chain and ignore any extra certificate provided by the entity being verified. So, the behavior I get with OpenSSL when using the Digicert root is non-conformant with X.509? The peer's certificate should have been verified when I provided the Digicert root? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Failing to verify the certificate of one specific site
2011/10/9 Lucas Clemente Vella lve...@gmail.com: First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me. Now I wrote the C code using directly OpenSSL, and I get the same problem: #include stdio.h #include openssl/bio.h #include openssl/ssl.h #include openssl/err.h int main() { long ret; BIO * bio; SSL_CTX * ctx; SSL * ssl; X509 * cert; SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); ctx = SSL_CTX_new(TLSv1_client_method()); SSL_CTX_load_verify_locations(ctx, DigiCertHighAssuranceEVRootCA.crt, NULL); bio = BIO_new_ssl_connect(ctx); BIO_get_ssl(bio, ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(bio, graph.facebook.com:443); BIO_do_connect(bio); cert = SSL_get_peer_certificate(ssl); ret = SSL_get_verify_result(ssl); printf(Cert: %s\nRet %ld\n, cert-name, ret); X509_free(cert); BIO_free_all(bio); SSL_CTX_free(ctx); } By running it, I get: $ ssl_test Cert: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com Ret 20 which Ret 20 means, according to 'man verify', 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY where I would expect: 0 X509_V_OK Then I found this directory in my system, /etc/ssl/certs, containing my installed CA roots, which I provided to OpenSSL, instead of the certificate file: SSL_CTX_load_verify_locations(ctx, NULL, /etc/ssl/certs); By running again, I get Ret 0, meaning X509_V_OK and the host was verified. It seems to me that there is one certificate installed in /etc/ssl/certs, which is different from the on I was providing, that is being used to verify the host. If it is so, how can I know what certificate is being used? And why Firefox and Chrome both use the former certificate I provided, while OpenSSL is unable to use it for the same host? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Failing to verify the certificate of one specific site
First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me. I have an web server and I need to make a HTTPS request to the external server graph.facebook.com. It is plain in the Pyhton urllib2 module documentation that, while it will happily establish an HTTPS connection, it will not verify the server's certificate. So I was trying to use the ssl module to get the servers certificate verified. The problem is that the verification fails, and I have no clue of why. My browser is able to verify the server's certificate using the same root CA I provided to the ssl module, just type in https://graph.facebook.com/me;. This small code shows the problem: import socket, ssl s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.wrap_socket(s, ca_certs=DigiCertHighAssuranceEVRootCA.crt, cert_reqs=ssl.CERT_REQUIRED) ssl_sock.connect(('graph.facebook.com', 443)) Traceback (most recent call last): File ssl_test.py, line 4, in module ssl_sock.connect(('graph.facebook.com', 443)) File /usr/lib/python2.7/ssl.py, line 299, in connect self.do_handshake() File /usr/lib/python2.7/ssl.py, line 283, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If I try the same code against 'ev-root.digicert.com', which is the DigiCert test address for this certificate, it works and the host is correctly verified. So, do you have any clue on why the verification of this specific host fails even if I have the correct root CA? Any suggestions on how can I get more details on the problem? -- Lucas Clemente Vella lve...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org