From owner-freebsd-questions@freebsd.org Sun Nov 12 20:36:55 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AAB3C7C123 for ; Sun, 12 Nov 2017 20:36:55 +0000 (UTC) (envelope-from edgar@pettijohn-web.com) Received: from mail.pettijohn-web.com (pettijohn-web.com [108.61.222.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pettijohn-web.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6226B743A2 for ; Sun, 12 Nov 2017 20:36:55 +0000 (UTC) (envelope-from edgar@pettijohn-web.com) Received: from FreeBSD (50.59.65.174 [50.59.65.174]) by mail.pettijohn-web.com (OpenSMTPD) with ESMTPSA id 570fb760 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Sun, 12 Nov 2017 14:36:46 -0600 (CST) Date: Sun, 12 Nov 2017 14:36:31 -0600 From: Edgar Pettijohn To: Paul Schmehl Cc: FreeBSD Questions Subject: Re: Openssl problem Message-ID: <20171112203631.GA56031@FreeBSD> References: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2017 20:36:55 -0000 On Sun, Nov 12, 2017 at 02:03:45PM -0600, Paul Schmehl wrote: > Since openssl is now in base, I hope this is the appropriate list for these > questions. > > I'm running FreeBSD 10.3-RELEASE with # openssl version > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > > This is the FreeBSD base version of openssl, not the ports version. I have > ssh access to the server and can sudo to root. > > Please note: In the error messages below, I have removed some of the > pathing so as not to reveal the exact locations on the server. > > I have two problems. > > When I use https with an rss reader module in Joomla, I get this error: > Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify > failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line > 335 Warning: fopen(): Failed to enable crypto in > /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 > Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: > operation failed in > /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 I'm curious what this line is. > > I've worked around this problem by not forcing https on the blog. That way > the module can read the rss feed without encryption. The blog works without > SSL and with SSL, and I force SSL for logins. > > I had someone test the feed from a different server, and it worked fine > with SSL, so the problem appears to be isolated to this server. > > The second problem occurs when I try to run some commandline python > scripts, I get this error: requests.exceptions.ConnectionError: > HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded > with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL > routines', 'ssl3_get_server_certificate', 'certificate verify > failed')],)",),)) > > > Both of them appear to be related to how openssl handles ssl sessions. > > Even more confusing, if I verify the cert from the commandline, openssl > says it's OK. > openssl verify -untrusted > comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt > STAR_vvfh_org.crt: OK > > If I verify the cert without the chain, I get an error: > openssl verify STAR_vvfh_org.crt > STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL > Wildcard, CN = *.vvfh.org > error 20 at 0 depth lookup:unable to get local issuer certificate > > This is my apache (2.4) config: > # Enable SSL > SSLEngine On > SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 maybe try just: SSLProtocol all and see if that doesn't help. > SSLCipherSuite > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > SSLCertificateFile /webcerts/STAR_vvfh_org.crt > SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key > SSLCACertificateFile > /webcerts/COMODORSADomainValidationSecureServerCA.crt > SSLCertificateChainFile > /webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle > > I've been working around the problem, but I'd like to figure it out and get > it fixed. I'd also recommend trying out certbot from ports and try new certificates, etc and just rule those out as the issue. It seems anytime I have an ssl problem it turns out to be the certs are messed up somehow or the permissions are wrong. Good luck! > > Paul Schmehl, Retired > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > "It is as useless to argue with those who have > renounced the use of reason as to administer > medication to the dead." Thomas Jefferson > "There are some ideas so wrong that only a very > intelligent person could believe in them." George Orwell > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"