Re: SSL_CERT_FILE environmental variable not honored?

Jeffrey Walton Wed, 02 Oct 2013 14:30:47 -0700

It gets even more bizarre after soft linking SSL_CERT_FILE to
startcom-ca-bundle.pem ....


Does anyone know how to use SSL_CERT_FILE (or how its intended to be used)?

Jeff

*****

riemann::~$ ln -s startcom-ca-bundle.pem SSL_CERT_FILE
riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
api.pagepeeker.com:443
CONNECTED(00000003)
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 
s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
<SNIP>
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1957 bytes and written 647 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: <SNIP>

    Start Time: 1380749054
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> Hi All,
>
> I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
> then connected to api.pagepeeker.com, which uses StartCom.
>
> When I use s_client and -CAfile, the verification completes
> successfully. When I use c_client and SSL_CERT_FILE, verification
> fails with "Verify return code: 19 (self signed certificate in
> certificate chain)".
>
> x509_def.c and by_file.c looks OK to me (but I did not step it under
> the debugger). Yet appears SSL_CERT_FILE is not honored.
>
> Are there any workarounds?
>
> Jeff
>
> **********
>
> When I run `openssl s_client` with `-CAfile`, the fetch works as expected:
>
> riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
> api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem
> CONNECTED(00000003)
> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Certification Authority
> verify return:1
> depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Class 1 Primary Intermediate Server CA
> verify return:1
> depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
> api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
> verify return:1
> ---
> Certificate chain
>  0 
> s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
> TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
> <SNIP>
> 5FJ1IIaJc7+5
> -----END CERTIFICATE-----
> subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5552 bytes and written 648 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: <SNIP>
>
>     Start Time: 1380708844
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> DONE
>
> **********
> When I run `openssl s_client` with `SSL_CERT_FILE`, the fetch fails
> due due a self signed certificate:
>
> riemann::~$ export SSL_CERT_FILE=`pwd`/startcom-ca-bundle.pem
> riemann::~$ echo $SSL_CERT_FILE
> /Users/jwalton/startcom-ca-bundle.pem
> riemann::~$ ls *.pem
> startcom-ca-bundle.pem
> riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
> api.pagepeeker.com:443
> CONNECTED(00000003)
> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 
> s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
> TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
> <SNIP>
> 5FJ1IIaJc7+5
> -----END CERTIFICATE-----
> subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5552 bytes and written 648 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: <SNIP>
>
>     Start Time: 1380746687
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> DONE
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: SSL_CERT_FILE environmental variable not honored?

Reply via email to