[openssl-dev] Fwd: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)

Matt Caswell matt at openssl.org
Tue Apr 21 15:24:08 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 21/04/15 15:43, Dominyk Tiller wrote:
> Hi Matt,
> 
> Thanks for the reply on this, and for backporting the fix to
> 1.0.2! Having it available to 1.0.1 would be great too, but
> appreciate the OpenSSL team isn't huge.
> 
> Is there any timetable on the 1.0.2b release? It seems pulling the 
> following three commits into the 1.0.2a branch and patching:

No, unfortunately not. The releases are normally driven by what
security issues come along which we can't predict.

> 
> 47daa155a31b0a54ce09ad2ed4d55fad74096dab

You don't need this one. I'm about to revert it.

> dfd3322d72a2d49f597b86dab6f37a8cf0f26dbf

You only need this one if you want to be able to control whether the
new verify algorithm is used or not via the newly defined
X509_V_FLAG_NO_ALT_CHAINS flag. By default it will be used.

> 6281abc79623419eae6a64768c478272d5d3a426

This is the important one.

> 
> Does the job. Verification against Google domains with an OS X
> 10.10.3+ Keychain-generated PEM works great. Usually pretty
> reluctant to cherry-pick patches on security tools but given the
> trouble this is causing, am I safe to do so in this situation?

I can't foresee any problems with doing that. Obviously though we only
support official releases.

Matt


> 
> Thanks,
> 
> Dominyk
> 
> Sent from OS X. If you wish to communicate more securely my PGP
> Public Key is 0x872524db9d74326c.
> 
> On 20/04/2015 23:52, Matt Caswell wrote:
>> 
>> 
>> On 18/04/15 14:30, Dominyk Tiller wrote:
>>> Apologies. Either I'm an idiot or autocorrect is feeling
>>> amusing today. I meant
>>> https://gist.github.com/DomT4/f86618bdfe2f27c8d66a rather than
>>> https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a.
>> 
>>> Sent from OS X. If you wish to communicate more securely my
>>> PGP Public Key is 0x872524db9d74326c.
>> 
>> 
>>> -------- Forwarded Message -------- Subject: OpenSSL fails to 
>>> connect to Google on OS X 10.10.3 (Bug Report) Date: Sat, 18
>>> Apr 2015 14:16:14 +0100 From: Dominyk Tiller
>>> <dominyktiller at gmail.com> To: openssl-dev at openssl.org
>> 
>>> Apologies that this is kinda badly written. Detailed bug
>>> reports aren't my forte. Feel free to ping back questions if
>>> detail isn't clear/useful/etc.
>> 
>>> OS X 10.10.3’s release changed some certs in the Keychain.
>>> There’s a full list of changes here: 
>>> https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a
>> 
>>> This has caused some chaos with OpenSSL and LibreSSL, in
>>> things built against them, using a .pem generated from OS X’s
>>> Keychains. The biggest, most popular affected sites are the
>>> whole range of Google domains.
>> 
>>> Google cross-sign their GeoTrust root with an old Equifax root 
>>> (Equifax Secure Certificate Authority) because a lot of the
>>> older clients don’t have the GeoTrust root on their system and
>>> would just error out. Have emailed with Adam Langley on the
>>> cert errors and essentially Google aren’t going to be able to
>>> stop that cross-signing any time soon.
>> 
>>> According to Adam most SSL clients should go through the cert
>>> chain of the domain and hit the GeoTrust cert and verify at
>>> that point, if the GeoTrust root exists in a .pem file OpenSSL
>>> can find and use, which does exist when generating a PEM from
>>> the system Keychains. It’s not supposed to carry on to the
>>> Equifax root, but it is, and this is causing breakage on OS X
>>> 10.10.3 onwards.
>> 
>> Hi Dominyk
>> 
>> This is a known issue. It has been fixed in git master for a
>> while. Technically speaking this is not a bug at all. OpenSSL's
>> verification algorithm is working exactly as designed. For that
>> reason a decision was taken not to backport this to existing
>> releases (which only receives bug fixes). However, due to the
>> real problems that this is causing for users, we have changed our
>> mind on this and we have now backported this to 1.0.2. It's in
>> git now and will become available as part of 1.0.2b. Discussions
>> are ongoing with regards to 1.0.1.
>> 
>> Regards
>> 
>> Matt
>> 
>> 
>> 
>> 
>>> This problem only exists in OpenSSL and LibreSSL as far as
>>> testing goes. It isn’t reproducible with Apple’s Security
>>> Framework, or GnuTLS.
>> 
>>> Interestingly, Apple have done something to their shipped
>>> OpenSSL 0.9.8x to fix the problem - If I build OpenSSL 0.9.8x
>>> from source and use it, failure, but if I use the one Apple
>>> installs the connection verifies and succeeds. Here’s hoping
>>> they’ve punted whatever those changes were upstream to you.
>> 
>>> This is the error you get:
>> 
>>> ================================================== —2015-04-10 
>>> 16:58:58—  https://google.com/ Resolving google.com…
>>> 216.58.210.46, 2a00:1450:4009:800::200e Connecting to 
>>> google.com|216.58.210.46|:443… connected. ERROR: cannot verify 
>>> google.com’s certificate, issued by ‘CN=Google Internet
>>> Authority G2,O=Google Inc,C=US’: Unable to locally verify the
>>> issuer’s authority. To connect to google.com insecurely, use 
>>> `—no-check-certificate’. 
>>> ==================================================
>> 
>>> How to reproduce:
>> 
>>> * Install OpenSSL on OS X 10.10.3 or above. I have it installed
>>> to /usr/local/opt/openssl - With the sysconfdir in
>>> /usr/local/etc.
>> 
>>> * Generate a PEM file from OS X’s Security Keychain: *
>>> security find-certificate -a -p
>>> /Library/Keychains/System.keychain >> sys.pem * security
>>> find-certificate -a -p 
>>> /System/Library/Keychains/SystemRootCertificates.keychain >> 
>>> sysroot.pem * cat sys.pem >> sysroot.pem * mv sysroot.pem 
>>> /usr/local/etc/openssl
>> 
>>> * Download and install cURL: * Pass 
>>> “—with-ssl=/path/to/openssl/dir” and 
>>> “--with-ca-bundle=/path/to/sysconfdir/openssl/sysroot.pem” to 
>>> configure.
>> 
>>> * Run “/path/to/your/installed/curl -I https://google.com”
>> 
>>> It reproduces with wget, mutt, various other tools. If you put
>>> the Equifax certificate back, and then rehash, you can make
>>> the connection. But the Equifax cert is old, and weak, and
>>> Apple aren’t likely to return it to the Keychain. So this
>>> problem connecting to Google will persist until the reason for
>>> not stopping at and verifying on the GeoTrust root are narrowed
>>> down and hopefully fixed.
>> 
>>> Mozilla are also pressing ahead with removing that Equifax
>>> root from their certs, so it’s not a simple case of working
>>> around it by switching PEM.
>> 
>> 
>> 
>>> _______________________________________________ openssl-dev
>>> mailing list To unsubscribe: 
>>> https://mta.openssl.org/mailman/listinfo/openssl-dev
>> 
>> _______________________________________________ openssl-dev
>> mailing list To unsubscribe:
>> https://mta.openssl.org/mailman/listinfo/openssl-dev
>> 
> 
> 
> 
> _______________________________________________ openssl-dev mailing
> list To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-dev
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVNmuYAAoJENnE0m0OYESRwAcH/1XrZzo+SKPrLMQ8DvfZI1w5
+Y8IzNn38TVwTmD0SoJWdwCrIu0x1SQkQQ3aVspkscBzUDHM9Rs0xPQYuKqXPhNW
re+1iLjvYh99yAy1lMEVVIlML6Q8V23QZ0YarBa41sZ0z3JfOknWVart1Cpzbbzq
XsG9dOcP8mBlED/P/KPMY7P4FbTB8jL57y9d+JiKzUvjWJufQAryEeCq8/vKGz6e
/2eK+QsEPLrxQRFu7J6PhnobRIw15FOKujavzZmkmaijc/6Q+6VcBkrRth9DSzNe
XCbuD0A2ekCccz33l9I5xPE+6xce+5D9HTkWoFGQDxXUFbsIoOAqewx7AIx4nJA=
=u2ow
-----END PGP SIGNATURE-----

More information about the openssl-dev mailing list