[openssl-users] Strange problem with openssl

Paul Schmehl pschmehl at tx.rr.com
Fri Nov 10 01:09:05 UTC 2017 

I'm running FreeBSD 10.3-RELEASE with # openssl version
OpenSSL 1.0.1s-freebsd  1 Mar 2016

This is the FreeBSD base version of openssl, not the ports version. I have 
ssh access to the server and can sudo to root.

Please note: In the error messages below, I have removed some of the 
pathing so as not to reveal the exact locations on the server.

I have two problems. When I use https with an rss reader module in Joomla, 
I get this error: Warning: fopen(): SSL operation failed with code 1. 
OpenSSL Error messages: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed in 
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 
Warning: fopen(): Failed to enable crypto in 
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335 
Warning: fopen(https://blog.vvfh.org/feed/rss2): failed to open stream: 
operation failed in 
/Sites/www.vvfh.org/libraries/joomla/filesystem/file.php on line 335

I've worked around this problem by not forcing https on the blog. That way 
the module can read the rss feed without encryption. The blog works without 
SSL and with SSL, and I force SSL for logins.

I had someone test the feed from a different server, and it worked fine 
with SSL, so the problem appears to be isolated to this server.

The second problem occurs when I try to run some commandline python 
scripts, I get this error: requests.exceptions.ConnectionError: 
HTTPSConnectionPool(host='wiki.vvfh.org', port=443): Max retries exceeded 
with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL 
routines', 'ssl3_get_server_certificate', 'certificate verify 
failed')],)",),))
<class 'requests.exceptions.ConnectionError'>

Both of them appear to be related to how openssl handles ssl sessions.

When I run openssl s_client -connect wiki.vvfh.org:443, I get the following 
error:  Verify return code: 18 (self signed certificate)

This is very odd, because ssllabs.com scores the site as an A, and says the 
chain is intact, no missing parts. Yet, for some reason, ssl doesn't see it 
that way. Furthermore, it sees the certs as self-signed, which makes no 
sense at all. I'm using a wildcard cert (Comodo) for three sites: www, wiki 
and blog - all in the vvfh.org domain.

Even more confusing, if I verify the cert from the commandline, openssl 
says it's OK.
openssl verify -untrusted 
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
STAR_vvfh_org.crt: OK

If I verify the cert without the chain, I get an error:
openssl verify STAR_vvfh_org.crt
STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL 
Wildcard, CN = *.vvfh.org
error 20 at 0 depth lookup:unable to get local issuer certificate

This is my apache (2.4) config:
 # Enable SSL
    SSLEngine On
    SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCertificateFile /webcerts/STAR_vvfh_org.crt
    SSLCertificateKeyFile /webcerts/STAR.vvfh.org.key
    SSLCACertificateFile 
/webcerts/COMODORSADomainValidationSecureServerCA.crt
    SSLCertificateChainFile 
/webcerts/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle

I've been working around the problem, but I'd like to figure it out and get 
it fixed.

"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors."  -  Thomas Jefferson

Paul Schmehl (pschmehl at tx.rr.com)
Independent Researcher

More information about the openssl-users mailing list