From owner-freebsd-questions@freebsd.org Sun Nov 12 20:06:32 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23D5BC7B97F for ; Sun, 12 Nov 2017 20:06:32 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from dnvrco-cmomta03.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EF4B573502 for ; Sun, 12 Nov 2017 20:06:31 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from [192.168.0.11] ([76.183.153.52]) by cmsmtp with ESMTPA id DyTqe2UW3e8IaDyTteHjWs; Sun, 12 Nov 2017 20:03:50 +0000 Date: Sun, 12 Nov 2017 14:03:45 -0600 From: Paul Schmehl Reply-To: Paul Schmehl To: FreeBSD Questions Subject: Openssl problem Message-ID: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-CMAE-Envelope: MS4wfG74QuAxj7pr90ic7uPkyzFzVnksfeA2sePjGXO10HP+X/TtI9Btlp5+bgGMPa2cULwJG48Is6gIUYZR6zX4wGUN8O2edwG8ko4kZGGyxnDFrvT8Rj0c hQh9ZGeWM0tZuFquUf2foABNArFkhQZHObY0BnabZ2BaL7t1BLHq0n5p1gnUeqUWnqVwWRGbxJoYTw== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2017 20:06:32 -0000 Since openssl is now in base, I hope this is the appropriate list for these questions. I'm running FreeBSD 10.3-RELEASE with # openssl version OpenSSL 1.0.1s-freebsd 1 Mar 2016 This is the FreeBSD base version of openssl, not the ports version. I have ssh access to the server and can sudo to root. Please note: In the error messages below, I have removed some of the pathing so as not to reveal the exact locations on the server. I have two problems. When I use https with an rss reader module in Joomla, I get this error: Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 Warning: fopen(): Failed to enable crypto in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: operation failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 I've worked around this problem by not forcing https on the blog. That way the module can read the rss feed without encryption. The blog works without SSL and with SSL, and I force SSL for logins. I had someone test the feed from a different server, and it worked fine with SSL, so the problem appears to be isolated to this server. The second problem occurs when I try to run some commandline python scripts, I get this error: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),)) Both of them appear to be related to how openssl handles ssl sessions. Even more confusing, if I verify the cert from the commandline, openssl says it's OK. openssl verify -untrusted comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt STAR_vvfh_org.crt: OK If I verify the cert without the chain, I get an error: openssl verify STAR_vvfh_org.crt STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.vvfh.org error 20 at 0 depth lookup:unable to get local issuer certificate This is my apache (2.4) config: # Enable SSL SSLEngine On SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCertificateFile /webcerts/STAR_vvfh_org.crt SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key SSLCACertificateFile /webcerts/COMODORSADomainValidationSecureServerCA.crt SSLCertificateChainFile /webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle I've been working around the problem, but I'd like to figure it out and get it fixed. Paul Schmehl, Retired As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell