Openssl problem

Edgar Pettijohn edgar at pettijohn-web.com
Sun Nov 12 20:36:55 UTC 2017 

On Sun, Nov 12, 2017 at 02:03:45PM -0600, Paul Schmehl wrote:
> Since openssl is now in base, I hope this is the appropriate list for these 
> questions.
> 
> I'm running FreeBSD 10.3-RELEASE with # openssl version
> OpenSSL 1.0.1s-freebsd  1 Mar 2016
> 
> This is the FreeBSD base version of openssl, not the ports version. I have 
> ssh access to the server and can sudo to root.
> 
> Please note: In the error messages below, I have removed some of the 
> pathing so as not to reveal the exact locations on the server.
> 
> I have two problems.
> 
> When I use https with an rss reader module in Joomla, I get this error: 
> Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: 
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify 
> failed in /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 
> 335 Warning: fopen(): Failed to enable crypto in 
> /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 
> Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: 
> operation failed in 
> /Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335

I'm curious what this line is.

> 
> I've worked around this problem by not forcing https on the blog. That way 
> the module can read the rss feed without encryption. The blog works without 
> SSL and with SSL, and I force SSL for logins.
> 
> I had someone test the feed from a different server, and it worked fine 
> with SSL, so the problem appears to be isolated to this server.
> 
> The second problem occurs when I try to run some commandline python 
> scripts, I get this error: requests.exceptions.ConnectionError: 
> HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded 
> with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL 
> routines', 'ssl3_get_server_certificate', 'certificate verify 
> failed')],)",),))
> <class 'requests.exceptions.ConnectionError'>
> 
> Both of them appear to be related to how openssl handles ssl sessions.
> 
> Even more confusing, if I verify the cert from the commandline, openssl 
> says it's OK.
> openssl verify -untrusted 
> comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
> STAR_vvfh_org.crt: OK
> 
> If I verify the cert without the chain, I get an error:
> openssl verify STAR_vvfh_org.crt
> STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL 
> Wildcard, CN = *.vvfh.org
> error 20 at 0 depth lookup:unable to get local issuer certificate
> 
> This is my apache (2.4) config:
>  # Enable SSL
>     SSLEngine On
>     SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1

maybe try just:
SSLProtocol	all

and see if that doesn't help.

>     SSLCipherSuite 
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>     SSLHonorCipherOrder on
>     SSLCertificateFile /webcerts/STAR_vvfh_org.crt
>     SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key
>     SSLCACertificateFile 
> /webcerts/COMODORSADomainValidationSecureServerCA.crt
>     SSLCertificateChainFile 
> /webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
> 
> I've been working around the problem, but I'd like to figure it out and get 
> it fixed.

I'd also recommend trying out certbot from ports and try new certificates, etc and just 
rule those out as the issue. It seems anytime I have an ssl problem it turns out to be 
the certs are messed up somehow or the permissions are wrong.

Good luck!
> 
> Paul Schmehl, Retired
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list