[openssl-users] OpenSSL s_client default certificates bug

Benjamin Flynn Benjamin.Flynn at bigfishgames.com
Thu Nov 10 19:58:11 UTC 2016 

Ah you are correct.

My initial install of openssl was using /usr/lib/ssl as its directory but
when I upgraded to 1.1 it changed to /usr/local/ssl which escaped my
notice. I created the appropriate symlink and can confirm the issue is
fixed.

Thanks,
Ben

On 11/10/16, 10:24 AM, "openssl-users on behalf of Viktor Dukhovni"
<openssl-users-bounces at openssl.org on behalf of
openssl-users at dukhovni.org> wrote:

>
>> On Nov 10, 2016, at 12:25 PM, Benjamin Flynn
>><Benjamin.Flynn at bigfishgames.com> wrote:
>>
>> ### Failure when CAfile not specified
>>
>> $ openssl s_client -connect bigfishgames-a.akamaihd.net:443
>> CONNECTED(00000003)
>> depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore
>>CyberTrust Root
>> verify error:num=20:unable to get local issuer certificate
>> ---
>> Certificate chain
>>  0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies
>>Inc./CN=a248.e.akamai.net
>>    i:/C=NL/L=Amsterdam/O=Verizon Enterprise
>>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
>>  1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise
>>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
>>    i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
>>  2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>>CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies
>>Inc./CN=a248.e.akamai.net
>> issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise
>>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA512
>> Server Temp Key: ECDH, P-256, 256 bits
>> ---
>> SSL handshake has read 4491 bytes and written 302 bytes
>> Verification error: unable to get local issuer certificate
>> ---
>> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>>     Protocol  : TLSv1.2
>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>     Session-ID:
>>CAA6B55CF1160CF74DF986563E56CFCB11A24B2CDB35480048885F2B88B4947F
>>     Session-ID-ctx:
>>     Master-Key:
>>3AAC7100740F1A670EC8A63C9AD93656A3704C80CCFF1BD6554F4F055CF35DEEF1AAE9F49
>>87465732E347A6E0E00CEDF
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     TLS session ticket lifetime hint: 7200 (seconds)
>>     TLS session ticket:
>>     0000 - 6a 1c 2d 9a f7 6b 30 c0-09 47 f9 2f 24 9a 01 79
>>j.-..k0..G./$..y
>>     0010 - cd f5 07 a7 9d 02 76 21-ab d3 dc df 88 97 ae d1
>>......v!........
>>     0020 - 51 f1 c0 a0 e6 01 cc a6-5b 08 a8 61 a6 2b f0 66
>>Q.......[..a.+.f
>>     0030 - 31 fa a1 d2 b6 0c 5d 1d-d5 58 ff 6c 5e 27 bd a2
>>1.....]..X.l^'..
>>     0040 - c8 66 c4 af 9d 5d 55 93-8d e1 28 cb 77 32 0b 7f
>>.f...]U...(.w2..
>>     0050 - f5 74 cc 6f 56 c3 40 f2-91 65 72 6a b5 84 4b 08
>>.t.oV. at ..erj..K.
>>     0060 - 2c bd cc fd e5 93 c7 a3-82 67 a5 70 47 16 f7 bc
>>,........g.pG...
>>     0070 - d5 1a 8a e3 1c 10 c4 21-86 06 58 44 ef c3 be ab
>>.......!..XD....
>>     0080 - 72 8a f3 89 98 5f 85 79-b2 0c 92 0f 4a a6 f2 99
>>r...._.y....J...
>>     0090 - bb 8c 50 a0 63 b6 29 9e-8e 03 f1 f9 41 bb 42 97
>>..P.c.).....A.B.
>>
>>     Start Time: 1478797302
>>     Timeout   : 7200 (sec)
>>     Verify return code: 20 (unable to get local issuer certificate)
>>     Extended master secret: no
>
>I am rather perplexed as to why you might expect verification success
>with no trusted CAs specified...  What you report is exactly what should
>happen, unless:
>
>>    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>>CyberTrust Global Root
>
>
>appears in the default system-wide CApath or CAfile locations as reported
>by
>
>  $ openssl version -d
>
>to which path you can append either "/certs" or "cert.pem" to yield
>CApath or CAfie respectively.
>
>   SSL_CTX_load_verify_locations(3):
>
>       SSL_CTX_set_default_verify_paths() specifies that the default
>locations
>       from which CA certificates are loaded should be used. There is one
>       default directory and one default file. The default CA certificates
>       directory is called "certs" in the default OpenSSL directory.
>       Alternatively the SSL_CERT_DIR environment variable can be defined
>to
>       override this location. The default CA certificates file is called
>       "cert.pem" in the default OpenSSL directory. Alternatively the
>       SSL_CERT_FILE environment variable can be defined to override this
>       location.
>
>> $ openssl s_client -connect bigfishgames-a.akamaihd.net:443 -CAfile
>>/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem
>
>Presumably that file's parent directory (/etc/ssl/certs) is not the same
>as
>the directory as reported by "openssl -d" for the executable you're
>testing.
>
>--
>       Viktor.
>
>--
>openssl-users mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Big Fish Games, Inc. A New Game Every Day! (R)

More information about the openssl-users mailing list