Re: SSL_CERT_FILE environmental variable not honored?

Jeffrey Walton Thu, 03 Oct 2013 12:24:10 -0700

So, this does not work either (placing the PEM encoded cert in the variable):


$ export SSL_CERT_FILE=`cat startcom-ca-bundle.pem`
$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443
$ echo $SSL_CERT_FILE
-----BEGIN CERTIFICATE-----
MIIGnzCCBIegAwIBAgIBPTANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjEsMCoGA1UEAxMjU3RhcnRDb20gQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgRzIwHhcNMDYwOTE3MTk0NjM3WhcNMzYwOTE3MTk0
NjM3WjB9MQswCQYDV
...

$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 
s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---

Can anyone verify that SSL_CERT_FILE actually works in real life? Or
is it more undocumented, broken cruft lying around?

Jeff

On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> Hi All,
>
> I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
> then connected to api.pagepeeker.com, which uses StartCom.
>
> When I use s_client and -CAfile, the verification completes
> successfully. When I use c_client and SSL_CERT_FILE, verification
> fails with "Verify return code: 19 (self signed certificate in
> certificate chain)".
>
> x509_def.c and by_file.c looks OK to me (but I did not step it under
> the debugger). Yet appears SSL_CERT_FILE is not honored.
>
> Are there any workarounds?
>
> Jeff
>
> **********
>
> When I run `openssl s_client` with `-CAfile`, the fetch works as expected:
>
> riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
> api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem
> CONNECTED(00000003)
> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Certification Authority
> verify return:1
> depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Class 1 Primary Intermediate Server CA
> verify return:1
> depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
> api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
> verify return:1
> ---
> Certificate chain
>  0 
> s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
> TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
> <SNIP>
> 5FJ1IIaJc7+5
> -----END CERTIFICATE-----
> subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5552 bytes and written 648 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: <SNIP>
>
>     Start Time: 1380708844
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> DONE
>
> **********
> When I run `openssl s_client` with `SSL_CERT_FILE`, the fetch fails
> due due a self signed certificate:
>
> riemann::~$ export SSL_CERT_FILE=`pwd`/startcom-ca-bundle.pem
> riemann::~$ echo $SSL_CERT_FILE
> /Users/jwalton/startcom-ca-bundle.pem
> riemann::~$ ls *.pem
> startcom-ca-bundle.pem
> riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
> api.pagepeeker.com:443
> CONNECTED(00000003)
> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
> Signing, CN = StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 
> s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
> TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
> <SNIP>
> 5FJ1IIaJc7+5
> -----END CERTIFICATE-----
> subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5552 bytes and written 648 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: <SNIP>
>
>     Start Time: 1380746687
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> DONE
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: SSL_CERT_FILE environmental variable not honored?

Reply via email to