From: Derek H. <de...@as...> - 2017-01-02 15:20:15
|
Hi, I want to check if I am doing something very stupid here, since I am unable to properly use any apps linking to openssl100-shlibs (among others wget and python) since approximately the update to openssl-1.0.2, as it refuses to accept almost any host certificate: ariel:15579> curl -O https://www.openssl.org/source/openssl-1.0.2j.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5183k 100 5183k 0 0 985k 0 0:00:05 0:00:05 --:--:-- 1266k ariel:15580> wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz --2017-01-02 15:03:01-- https://www.openssl.org/source/openssl-1.0.2j.tar.gz Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e, 104.91.180.27 Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected. ERROR: cannot verify www.openssl.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to www.openssl.org insecurely, use `--no-check-certificate'. ariel:15581> wget --ca-certificate=/etc/ssl/cert.pem https://www.openssl.org/source/openssl-1.0.2j.tar.gz --2017-01-02 15:03:10-- https://www.openssl.org/source/openssl-1.0.2j.tar.gz Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e, 104.91.180.27 Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 5307912 (5.1M) [application/x-gzip] Saving to: ‘openssl-1.0.2j.tar.gz.1’ openssl-1.0.2j.tar.gz.1 100%[===============================================================================>] 5.06M 1.38MB/s in 3.7s 2017-01-02 15:03:15 (1.38 MB/s) - ‘openssl-1.0.2j.tar.gz’ saved [5307912/5307912] ariel:15582> wget --ca-certificate=/sw/etc/ssl/certs/ca-bundle.crt https://www.openssl.org/source/openssl-1.0.2j.tar.gz --2017-01-02 15:31:49-- https://www.openssl.org/source/openssl-1.0.2j.tar.gz Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e, 104.91.180.27 Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 5307912 (5.1M) [application/x-gzip] Saving to: ‘openssl-1.0.2j.tar.gz.2’ openssl-1.0.2j.tar.gz.2 100%[===============================================================================>] 5.06M 1.40MB/s in 3.6s 2017-01-02 15:31:55 (1.40 MB/s) - ‘openssl-1.0.2j.tar.gz.3’ saved [5307912/5307912] This happens regardless of whether the certificate updates from ca-bundle are installed or not (which are almost a year old now anyway), but as the last two examples show, it obviously accepts both the system-provided certificates in /etc/ssl or the ca-certs one if directed explicitly to them. Since I’ve never seen any other message about this problem popping up on the list, I am still wondering if I am doing something blatantly wrong, but as it is, the CERTIFICATE_VERIFY_FAILED errors causes a number of package builds to fail tests that require downloading things. Is there some way to have openssl100 automatically recognise any of the installed certificate lists? There is a /sw/etc/ssl/openssl.cnf however belonging to openssl_1.1.0c, and its locations don’t seem to make any sense at all: [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept as there is no demo* subdirectory present whatsoever (otherwise I would have suspected yet another bit of trouble due to a case-sensitive file system). Trying to modify this installed openssl.cnf to point to any of the actual certificate locations did not get me any further either. If I am really the only one having this problem I’m wondering what could possibly be broken here after rebuilding and reinstalling all openssl packages... Thanks for any help, Derek |