Openssl problem
Paul Schmehl
pschmehl_lists at tx.rr.com
Sun Nov 12 20:06:32 UTC 2017
Since openssl is now in base, I hope this is the appropriate list for these
questions.
I'm running FreeBSD 10.3-RELEASE with # openssl version
OpenSSL 1.0.1s-freebsd 1 Mar 2016
This is the FreeBSD base version of openssl, not the ports version. I have
ssh access to the server and can sudo to root.
Please note: In the error messages below, I have removed some of the
pathing so as not to reveal the exact locations on the server.
I have two problems.
When I use https with an rss reader module in Joomla, I get this error:
Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line
335 Warning: fopen(): Failed to enable crypto in
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335
Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream:
operation failed in
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335
I've worked around this problem by not forcing https on the blog. That way
the module can read the rss feed without encryption. The blog works without
SSL and with SSL, and I force SSL for logins.
I had someone test the feed from a different server, and it worked fine
with SSL, so the problem appears to be isolated to this server.
The second problem occurs when I try to run some commandline python
scripts, I get this error: requests.exceptions.ConnectionError:
HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded
with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL
routines', 'ssl3_get_server_certificate', 'certificate verify
failed')],)",),))
<class 'requests.exceptions.ConnectionError'>
Both of them appear to be related to how openssl handles ssl sessions.
Even more confusing, if I verify the cert from the commandline, openssl
says it's OK.
openssl verify -untrusted
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
STAR_vvfh_org.crt: OK
If I verify the cert without the chain, I get an error:
openssl verify STAR_vvfh_org.crt
STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL
Wildcard, CN = *.vvfh.org
error 20 at 0 depth lookup:unable to get local issuer certificate
This is my apache (2.4) config:
# Enable SSL
SSLEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCertificateFile /webcerts/STAR_vvfh_org.crt
SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key
SSLCACertificateFile
/webcerts/COMODORSADomainValidationSecureServerCA.crt
SSLCertificateChainFile
/webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
I've been working around the problem, but I'd like to figure it out and get
it fixed.
Paul Schmehl, Retired
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
More information about the freebsd-questions
mailing list