Date: Sun, 12 Nov 2017 14:03:45 -0600 From: Paul Schmehl <pschmehl_lists@tx.rr.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Openssl problem Message-ID: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local>
next in thread | raw e-mail | index | archive | help
Since openssl is now in base, I hope this is the appropriate list for these questions. I'm running FreeBSD 10.3-RELEASE with # openssl version OpenSSL 1.0.1s-freebsd 1 Mar 2016 This is the FreeBSD base version of openssl, not the ports version. I have ssh access to the server and can sudo to root. Please note: In the error messages below, I have removed some of the pathing so as not to reveal the exact locations on the server. I have two problems. When I use https with an rss reader module in Joomla, I get this error: Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 Warning: fopen(): Failed to enable crypto in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: operation failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 I've worked around this problem by not forcing https on the blog. That way the module can read the rss feed without encryption. The blog works without SSL and with SSL, and I force SSL for logins. I had someone test the feed from a different server, and it worked fine with SSL, so the problem appears to be isolated to this server. The second problem occurs when I try to run some commandline python scripts, I get this error: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),)) <class 'requests.exceptions.ConnectionError'> Both of them appear to be related to how openssl handles ssl sessions. Even more confusing, if I verify the cert from the commandline, openssl says it's OK. openssl verify -untrusted comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt STAR_vvfh_org.crt: OK If I verify the cert without the chain, I get an error: openssl verify STAR_vvfh_org.crt STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.vvfh.org error 20 at 0 depth lookup:unable to get local issuer certificate This is my apache (2.4) config: # Enable SSL SSLEngine On SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCertificateFile /webcerts/STAR_vvfh_org.crt SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key SSLCACertificateFile /webcerts/COMODORSADomainValidationSecureServerCA.crt SSLCertificateChainFile /webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle I've been working around the problem, but I'd like to figure it out and get it fixed. Paul Schmehl, Retired As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47D923B54DCCEC14A12CD796>