|
openssl ssl error code 14090086 verify the CA cert is ok / certificate verify failed
Bypass next drivel by going to here:
http://www.linuxquestions.org/questi...3/#post3459043 Hi, BTW I've a Slackware 11.0 box that this (app) es<snipped>niper (less the <snipped>) works just fine on, no prob., no error. The prob. that I post about here happens on my Slack 12.2 box. Slackware 12.2 with the (latest official) the patched ssl .tgz package and the patched lib package. Using the (open source app.) es<snipped>niper (less the <snipped>) which b i d s to the https e<snipped>bay (less the <snipped>) au<snipped>ction site. The above app uses curl and openssl. I'm not sure if this is a curl or an openssl problem. (but I think it's ssl prob.). curl can download to STDOUT the html markup -- that part is working. I added (to no avail) an env var for curl to find where the CA certs. al@P5Q:~$ env | grep CU CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt root@P5Q:/etc/ssl/certs# pwd /etc/ssl/certs root@P5Q:/etc/ssl/certs# ls -la total 8 drwxr-xr-x 2 root root 4096 2009-02-09 21:56 ./ drwxr-xr-x 5 root root 4096 2009-02-09 20:38 ../ lrwxrwxrwx 1 root root 24 2009-02-09 21:56 ca-certificates.crt -> /home/al/.ssh/cacert.pem I saw the verify openssl man page which listed options. I googled for some verify example command lines but didn't find any. user and password (for my_e<snipped>bay) are a go but then the error quickly returns (both as root also as user) Next is the error in its entirety Code:
al@P5Q:~$ es<snipped>niper auc_tion_# $_amount |
I hope you know what host and port it connects to. Try to get verbose information from openssl s_client -host host -port port. Also note, that it may be that your program doesn't use curl, and needs some special options to tune certificate validation.
|
Bug in Slack 12.2 openssl config? Or? Attn. Slackware development team members
Hi,
Please see at the next url/thread for the specifics of the openssl error: [MODERATED:this thread] (please don't crosspost, otherwise post duplicates or attn:redirects). Two, patched up to date, Slackware 12.2 boxes now do this very same SSL error. OTOH a slackware 11.0 box openssl works fine, without any error. Is this due to a bug in the 12.2 openssl config? Or, instead, is it that a Slackware 11.0 box openssl works OK without this error due to an insecureness inherent in its earlier version of openssl? BTW if I get some time, I can run NMAP and/or wireshark so as to find out what port(s) the 12.2 openssl runs on so as for me to pursue the one reply to my above listed thread. Thanks much! Slack rocks! -- Alan. |
Hi,
esniper does use curl. Forget esniper. I get the same openssl error using curl to logon to https my ebay. While doing that, I get prompted for my username and password which goes fine. The listed openssl error returns just after my password is sent. And, logon does not happen due to the error. Thanks. Alan. |
Looks like login form is sent via unencrypted http (which makes it vulnerable to interception and redirection to another URL, but that's another story). Did you try the command I specified? It could help you to get the certificate you need to feed to curl. Or you can use -k flag to curl for not verifying SSL certificate..
|
Why so secretive about the use of esniper? If you feel bad about using it, then don't.
The curl in Slackware is not configured to look for a CA certificate bundle in a default location (nor does the curl package ship with one). Also, curl uses openssl for the "https" part - without a CA certificate bundle, curl can not verify the correctness of the certificate chain. You can however use one of the CA certificate bundles installed with KDE's "kdelibs" package (both KDE4 and KDE3). An example invocation: Code:
curl --cacert /usr/share/apps/kssl/ca-bundle.crt -v https://www.mozilla.org/I have no idea how esniper uses curl, so I can not comment on the use of a CURL_CA_BUNDLE environment variable. You may have to reconfigure/recompile curl and specify an explicit path for the CA certificate file (/etc/ssl/certs/ca-bundle.crt is a common name for that). Eric |
It's not a bug, it is a feature. SSL certificates are not trusted by looking into their big blue eyes.
You are probably right that the old curl packages had a CA certificate bundle configured for use. My old 10.1 box comes with /usr/share/curl/curl-ca-bundle.crt and uses that too. You can email Pat about the missing ca-bundle.crt. Eric |
Well then, evidently it's a feature, as you said.
IOW, "let us be secure." (I wouldn't have it otherwise). Yes, (see enclosed url, etc.) curl no longer ships with any cert bundle. For now, at next, I'm sounding out what it appears that I need to do to get it to work (securely -- disabling the cert or secure check is not an option) on Slack 12.2 I've perhaps a few minutes this evening or else a few days will pass until I have more experimentation (hacking?) time. http://curl.haxx.se/docs/faq.html#Wh...te_ca_bundle_c (curl no longer ships with ca_bundle.cert) http://curl.haxx.se/docs/sslcerts.html (howto do it yourself, the ca_bundle.cert) Quote:
Quote:
1. intercept and alter the esniper command line that gets passed to openssl 2. alias my system curl so that when "curl" gets called, it also adds into the command the mentioned above pointers to my CA_cert bundle or whatever it's called that no longer ships with curl. 3. (?) Re compile myself a Slackware package of curl and openssl that includes a cert bundle so that the paths to the bundle are native ie not needed on curl's command line. -- Alan. |
Quote:
curl to https my ebay login page is attempting to do it securely. It just is "Unable to verify" some certificate. So it stops without logging on. Not yet tried your specified command. I need to run NMAP and/or ethereal in order to find out what port(s) are being used. You specified said port(s) are a part of your specified command. Thanks. I'll report back here when I can, shouldn't be any longer than a couple or 3 days from now. Meanwhile, until then, I've moments or precious few minutes. So, I can watch here. And short experiment until a few days from now then I can get more extensive. (it's probably a rather simple problem, ha ha) -- I just (don't yet) know enough about it all. Alan. |
https uses port 443
|
I'm a dummy on this ssl stuff. The next don't work. What have I done wrong?
Code:
al@P5Q:~$ hig openssl |
Wrong. "openssl s_client -host signin.ebay.com -port 443". It should print out server certificate.
|
Quote:
Am I the client? ie "no client certificate sent" or similar. What next? Alan. |
Yes you are. But I guess you didn't plan to use client certificate for authentication anyway. OpenSSL said you what top-level certificate is used. You could export that root certificate from Firefox and specify it with "--cacert some.cert" option to curl.
|
I got it working!!
I used the next. Ran it http://curl.haxx.se/lxr/source/lib/mk-ca-bundle.pl And, doing so, created: ca-bundle.crt al@P5Q:~/.ssh$ pwd /home/al/.ssh al@P5Q:~/.ssh$ ls ca-bundle.crt root@P5Q:~# removepkg curl-7.19.2-i486-1 From a Slackware mirror, I downloaded the "curl" source folder of files (source for curl) I added one line into the configure section of the slackbuild, thus: ./configure \ --prefix=/usr \ --mandir=/usr/man \ --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ $SSLOPT The added 1 liner is above $SSLOPT (permanently points it to the cert bundle). Then I built my _ac package of curl: root@P5Q:~# sh ./curl_ac.SlackBuild Then I installed this new curl: root@P5Q:~# installpkg curl-7.19.2-i486-1_ac.tgz Next it can be seen that I sym linked from where it is this new curl looks for the cert bundle to the nice newly created cert bundle, created from the Perl script listed above. root@P5Q:/etc/ssl/certs# pwd /etc/ssl/certs root@P5Q:/etc/ssl/certs# ls -la total 12 drwxr-xr-x 2 root root 4096 2009-02-26 22:22 ./ drwxr-xr-x 5 root root 4096 2009-02-26 01:06 ../ lrwxrwxrwx 1 root root 27 2009-02-26 22:22 ca-certificates.crt -> /home/al/.ssh/ca-bundle.crt al@P5Q:/var/log/packages$ lsg curl curl-7.19.2-i486-1_ac al@P5Q:/var/log/packages$ lsg esn esniper-2-19-0-i486-1 It all works superbly now!! What I don't know is if there's any .config or .rc file for curl (set the path there to the cert bundle instead of doing so in the ./configure). A second thing I don't know is if there still was a default path in curl for the cert bundle or if they also took this (said default path) out since they have discontinued shipping a cert bundle with curl. BTW I do not know why I munged ebay and esniper in my very first post -- it was rather late that night -- things that howl at the moon sometimes come out late at night . . . OTOH, *sometimes* some of the best creativity shows its head late at night ("The Raven" by Edgar Allen Poe, for some reason, I know not why, comes to mind). I did not ask anyone to read my drivel. I only had pointed to this thread in reference to ***the relevant openssl error message is in this thread*** That directive would have put me in "scan" mode -- ie quickly scan up and down until I quickly found "error". No reading of drivel. Done. Over with. Well, burning the late lamp hour and all . . . this has been good. I know way much more now on curl and openssl than I did before all of this started. -- Alan. |
| All times are GMT -5. The time now is 04:23 AM. |