[openssl-dev] OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)

Dominyk Tiller dominyktiller at gmail.com
Sat Apr 18 13:16:14 UTC 2015


Apologies that this is kinda badly written. Detailed bug reports aren't
my forte. Feel free to ping back questions if detail isn't clear/useful/etc.

OS X 10.10.3’s release changed some certs in the Keychain. There’s a
full list of changes here:
https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a

This has caused some chaos with OpenSSL and LibreSSL, in things built
against them, using a .pem generated from OS X’s Keychains. The biggest,
most popular affected sites are the whole range of Google domains.

Google cross-sign their GeoTrust root with an old Equifax root (Equifax
Secure Certificate Authority) because a lot of the older clients don’t
have the GeoTrust root on their system and would just error out. Have
emailed with Adam Langley on the cert errors and essentially Google
aren’t going to be able to stop that cross-signing any time soon.

According to Adam most SSL clients should go through the cert chain of
the domain and hit the GeoTrust cert and verify at that point, if the
GeoTrust root exists in a .pem file OpenSSL can find and use, which does
exist when generating a PEM from the system Keychains. It’s not supposed
to carry on to the Equifax root, but it is, and this is causing breakage
on OS X 10.10.3 onwards.

This problem only exists in OpenSSL and LibreSSL as far as testing goes.
It isn’t reproducible with Apple’s Security Framework, or GnuTLS.

Interestingly, Apple have done something to their shipped OpenSSL 0.9.8x
to fix the problem - If I build OpenSSL 0.9.8x from source and use it,
failure, but if I use the one Apple installs the connection verifies and
succeeds. Here’s hoping they’ve punted whatever those changes were
upstream to you.

This is the error you get:

==================================================
—2015-04-10 16:58:58—  https://google.com/
Resolving google.com… 216.58.210.46, 2a00:1450:4009:800::200e
Connecting to google.com|216.58.210.46|:443… connected.
ERROR: cannot verify google.com’s certificate, issued by ‘CN=Google
Internet Authority G2,O=Google Inc,C=US’:
  Unable to locally verify the issuer’s authority.
To connect to google.com insecurely, use `—no-check-certificate’.
==================================================

How to reproduce:

* Install OpenSSL on OS X 10.10.3 or above. I have it installed to
/usr/local/opt/openssl - With the sysconfdir in /usr/local/etc.

* Generate a PEM file from OS X’s Security Keychain:
	* security find-certificate -a -p /Library/Keychains/System.keychain >>
sys.pem
	* security find-certificate -a -p
/System/Library/Keychains/SystemRootCertificates.keychain >> sysroot.pem
	* cat sys.pem >> sysroot.pem
	* mv sysroot.pem /usr/local/etc/openssl

* Download and install cURL:
	* Pass “—with-ssl=/path/to/openssl/dir” and
“--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to configure.

* Run “/path/to/your/installed/curl -I https://google.com”

It reproduces with wget, mutt, various other tools. If you put the
Equifax certificate back, and then rehash, you can make the connection.
But the Equifax cert is old, and weak, and Apple aren’t likely to return
it to the Keychain. So this problem connecting to Google will persist
until the reason for not stopping at and verifying on the GeoTrust root
are narrowed down and hopefully fixed.

Mozilla are also pressing ahead with removing that Equifax root from
their certs, so it’s not a simple case of working around it by switching
PEM.

-- 
Sent from OS X. If you wish to communicate more securely my PGP Public
Key is 0x872524db9d74326c.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150418/ce2d6640/attachment.sig>


More information about the openssl-dev mailing list