Date: Tue, 1 Dec 2015 11:28:57 +0000 From: Oliver Schonrock <oliver@schonrocks.com> To: freebsd-bugs@freebsd.org Subject: openssl: verify error:num=20:unable to get local issuer certificate Message-ID: <565D8479.1040404@schonrocks.com>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mt36RKNPovwQiiDWXqjqLvW2Vq3jBLasd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I posted the below to freebsd-questions a couple of days ago, but not getting any response there. Not convinced this is a legitimate bug report, but would appreciate some feedback. --- I know this is a popular error, however, please bear with me, I am reasonably confident I have covered the obvious (famous last words!). This is how I produce this certificate chain validation error (the site is important): $ openssl s_client -connect api.textmarketer.co.uk:443 2>&1 | less depth=3D2 C =3D US, O =3D "thawte, Inc.", OU =3D Certification Services Division, OU =3D "(c) 2006 thawte, Inc. - For authorized use only", CN =3D= thawte Primary Root CA verify error:num=3D20:unable to get local issuer certificate This is on a fully updated FreeBSD 10.1 machine with OpenSSL 1.0.1l-freebsd 15 Jan 2015 using (i believe, see below) the crt bundle /usr/local/share/certs/ca-root-nss.crt from $ pkg info | grep nss ca_root_nss-3.20.1 So openssl does not recognise that Thawte root cert as locally trusted, but above file definitely contains that cert. I know this because: a) I have manually forced openssl to use that file (hopefully getting around all the path issues that most similar reported problems seem to boil down to). Like this $ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect api.textmarketer.co.uk:443 same result b) I also compared the cert file with a one of my FreeBSD 10.2 machines (which is working fine), and it's the same apart from the version number in the first line. I also scp'd the crt bundle over to the working 10.2 machine and forced openssl to use it with -CAfile..that works fine So the bundle file is fine, openssl is using that file (-CAfile reports errors if I make an intentional mistake with filename). leaves just 2 things that I can think of: 1. something wrong with that site's cert or the cert chain it presents =2E.I thought this was it, because other sites work. eg: openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect google.com:443 2>&1 depth=3D3 C =3D US, O =3D Equifax, OU =3D Equifax Secure Certificate Auth= ority verify return:1 but remember: this site's cert path validates as trusted from the 10.2 machine with the same cert file. Also https://www.ssllabs.com/ssltest/ report no chain issue etc... 2. there is something wrong with the openssl installation on that 10.1 machine. I did upgrade this machine from 10.0 to 10.1 using freebsd-update on October 16th 2015 (too late I know, could that be the issue?). I also installed the recent updates for ntpd vulnerabilities etc. I did reboot after those. Suspiciously, that problematic 10.1 machine was validating that exact cert path fine before the upgrade from 10.0. I know this because userland applications, like curl, are being used regularly to connect to that very site and I have logs to prove that it was working ...and now isn't. I have put a workaround in place to get curl to connect untrusted, but that's not good, clearly. It also worries me what else is not working, or not secure? In an attempt to narrow it down further, I installed openssl from ports using pkg: pkg install openssl /usr/local/bin/openssl s_client -connect api.textmarketer.co.uk:443 2>&1 | less depth=3D2 C =3D US, O =3D "thawte, Inc.", OU =3D Certification Services Division, OU =3D "(c) 2006 thawte, Inc. - For authorized use only", CN =3D= thawte Primary Root CA verify return:1 works!...so does that mean my openssl in the base system is messed up? I also compared my /etc/ssl/openssl.cnf with the working 10.2 machine, and that's identical as well. So I am fast running out of ideas of how to narrow this down further. Help please?! Is this a valid bug-report? Many thanks in advance. Oliver --mt36RKNPovwQiiDWXqjqLvW2Vq3jBLasd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWXYR5AAoJEF6SumULDx4PHRwH/0on7YPEmESS/Tjxr+czMO1S ACFOk8Zz5tif/MS1nvBkn/YvABCPAPL2eeCW16Pc8u/p01PEv/TTICZFexzLeSb0 ZdlrCw8ClNDV7/Ku2Xk65Py5v5NzIKvb2cf0XCvJEPSibqTJMgOIizCEUxYz0O0+ uaAjoKakTIs5WIofohDIUE1UmX/dkJrDq1z6Had44TcOfHZcBE5+Ow1Yqh9zfSWk yqq6tZ4hGwFMt3IbkR++VlA3zXJ3g6vTMv/uJ7Z3RnKeyMBaVeV+7YASXV0XJHX/ dOEG0RxTodBu2ccSxoem85V8JnKy/jY/IflnJFo9a/uFRth8XyoeUyYD+N4soxU= =Fa2J -----END PGP SIGNATURE----- --mt36RKNPovwQiiDWXqjqLvW2Vq3jBLasd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?565D8479.1040404>