[openssl-users] Strange problem with openssl
Paul Schmehl
pschmehl at tx.rr.com
Fri Nov 10 17:47:39 UTC 2017
--On November 10, 2017 at 5:21:25 PM +0000 Michael Wojcik
<Michael.Wojcik at microfocus.com> wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Paul Schmehl
>> Sent: Friday, November 10, 2017 11:59
>> To: openssl-users at openssl.org
>> Subject: Re: [openssl-users] Strange problem with openssl
>>
>> Do you have any thoughts on why I'm getting the errors when trying to
>> connect to the rss2 feed or the commandline issue with python?
>
> All we have from the rss2 issue is a generic complaint about verifying
> the server's certificate chain, so it's really hard to say. The module
> you're using either doesn't provide good diagnostics, or it's putting
> them somewhere other than stderr.
>
> It's possible that the module is configuring OpenSSL to not allow
> wildcard certificates. It's possible that it doesn't have the Comodo root
> in its trust collection. I'm not offhand seeing any other problems with
> the certs, though I certainly didn't try to check every possibility. The
> openssl verify commands you ran will have tested a number of the possible
> reasons for rejection, but not all of them. (There are options to test
> other things, but that gets complicated, too; you don't know what checks
> your failing applications are making.)
>
> The Python issue looks like it's probably the same thing, whatever that
> thing may be. It's also complaining about certificate verification.
>
> If you can get either of those clients to provide more detailed
> diagnostics, we might be able to narrow it down. Or someone else on the
> list might have a better idea.
>
> Certificate validation with the public Internet X.509 PKI hierarchy is a
> nightmare, to be honest. (Ivan Ristic's /Bulletproof TLS/ book discusses
> many of the problems; the Cypherpunks presentation "X.509 PKI: The OSI of
> a New Generation" is another good source.) There are a zillion things
> that can go wrong, and it's often very difficult to figure out why some
> particular application is unhappy.
>
Thanks again for your detailed response, Michael. WRT the RSS issue, the
vendor was able to view the feed over https without any errors, using the
same software that I'm using (Joomla 3.8.2 and Simple RSS Feed Reader (by
JoomlaWorks) 3.5). So, that seems to point to a problem unique to my server.
The python problem I may be able to enable debug on and see if any
additional detail is helpful. I'll check in to that.
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors." - Thomas Jefferson
Paul Schmehl (pschmehl at tx.rr.com)
Independent Researcher
More information about the openssl-users
mailing list