[openssl-users] Strange problem with openssl

[Paul Schmehl]

--On November 10, 2017 at 4:33:41 PM +0000 Michael Wojcik 
<Michael.Wojcik at microfocus.com> wrote:

>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Paul Schmehl
>> Sent: Thursday, November 09, 2017 20:09
>> To: openssl-users at openssl.org
>> Subject: [openssl-users] Strange problem with openssl
>>
>> When I run openssl s_client -connect wiki.vvfh.org:443, I get the
>> following error:  Verify return code: 18 (self signed certificate)
>>
>> This is very odd, because ssllabs.com scores the site as an A, and says
>> the chain is intact, no missing parts. Yet, for some reason, ssl doesn't
>> see it that way. Furthermore, it sees the certs as self-signed, which
>> makes no sense at all.
>
> It sees *a* certificate as self-signed. And indeed there is one. You're
> sending the entire chain, including the root. By definition, the root is
> self-signed.
>
> So s_client is saying: I'm verifying the chain from the server, and I got
> to the point where I found a self-signed certificate (which is the same
> as saying "I found a root certificate").
>
> OpenSSL isn't contradicting ssllabs. s_client reports the whole chain is
> there.
>

Thanks for clearing that up, Michael.

>> Even more confusing, if I verify the cert from the commandline, openssl
>> says it's OK.
>> openssl verify -untrusted
>> comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
>> STAR_vvfh_org.crt: OK
>
> s_client isn't saying the certificate isn't OK. It's saying it received a
> root certificate from the server.
>
> You didn't give s_client any trust anchors to verify the chain. So it's
> going to walk the whole chain, and it's going to find the root, and it's
> going to complain about that.
>
> Programs don't normally send the root certificate, on the grounds that if
> the peer doesn't already have it, they're not going to trust it anyway.
> But it's not forbidden.
>
> Try this:
>
> 1. Run "openssl s_client -connect wiki.vvfh.org:443 -showcerts". Copy the
> last certificate in the output (which will be the root) and paste it into
> tmp.pem. 2. Run " openssl s_client -connect wiki.vvfh.org:443 -verify 2
> -CAfile tmp.pem". No complaint from s_client now.

You are correct. Thanks for clarifying this.

Do you have any thoughts on why I'm getting the errors when trying to 
connect to the rss2 feed or the commandline issue with python?

"The man who never looks into a newspaper is better informed than he who
reads them, inasmuch as he who knows nothing is nearer the truth than he
whose mind is filled with falsehoods and errors."  -  Thomas Jefferson

Paul Schmehl (pschmehl at tx.rr.com)
Independent Researcher