Date: Sun, 12 Nov 2017 14:36:31 -0600 From: Edgar Pettijohn <edgar@pettijohn-web.com> To: Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Openssl problem Message-ID: <20171112203631.GA56031@FreeBSD> In-Reply-To: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local> References: <47D923B54DCCEC14A12CD796@Pauls-MacBook-Pro.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 12, 2017 at 02:03:45PM -0600, Paul Schmehl wrote: > Since openssl is now in base, I hope this is the appropriate list for these > questions. > > I'm running FreeBSD 10.3-RELEASE with # openssl version > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > > This is the FreeBSD base version of openssl, not the ports version. I have > ssh access to the server and can sudo to root. > > Please note: In the error messages below, I have removed some of the > pathing so as not to reveal the exact locations on the server. > > I have two problems. > > When I use https with an rss reader module in Joomla, I get this error: > Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify > failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line > 335 Warning: fopen(): Failed to enable crypto in > /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 > Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: > operation failed in > /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 I'm curious what this line is. > > I've worked around this problem by not forcing https on the blog. That way > the module can read the rss feed without encryption. The blog works without > SSL and with SSL, and I force SSL for logins. > > I had someone test the feed from a different server, and it worked fine > with SSL, so the problem appears to be isolated to this server. > > The second problem occurs when I try to run some commandline python > scripts, I get this error: requests.exceptions.ConnectionError: > HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded > with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL > routines', 'ssl3_get_server_certificate', 'certificate verify > failed')],)",),)) > <class 'requests.exceptions.ConnectionError'> > > Both of them appear to be related to how openssl handles ssl sessions. > > Even more confusing, if I verify the cert from the commandline, openssl > says it's OK. > openssl verify -untrusted > comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt > STAR_vvfh_org.crt: OK > > If I verify the cert without the chain, I get an error: > openssl verify STAR_vvfh_org.crt > STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL > Wildcard, CN = *.vvfh.org > error 20 at 0 depth lookup:unable to get local issuer certificate > > This is my apache (2.4) config: > # Enable SSL > SSLEngine On > SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 maybe try just: SSLProtocol all and see if that doesn't help. > SSLCipherSuite > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > SSLCertificateFile /webcerts/STAR_vvfh_org.crt > SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key > SSLCACertificateFile > /webcerts/COMODORSADomainValidationSecureServerCA.crt > SSLCertificateChainFile > /webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle > > I've been working around the problem, but I'd like to figure it out and get > it fixed. I'd also recommend trying out certbot from ports and try new certificates, etc and just rule those out as the issue. It seems anytime I have an ssl problem it turns out to be the certs are messed up somehow or the permissions are wrong. Good luck! > > Paul Schmehl, Retired > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > "It is as useless to argue with those who have > renounced the use of reason as to administer > medication to the dead." Thomas Jefferson > "There are some ideas so wrong that only a very > intelligent person could believe in them." George Orwell > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171112203631.GA56031>