[openssl-users] Strange problem with openssl

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Paul Schmehl
> Sent: Friday, November 10, 2017 11:59
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Strange problem with openssl
> 
> Do you have any thoughts on why I'm getting the errors when trying to
> connect to the rss2 feed or the commandline issue with python?

All we have from the rss2 issue is a generic complaint about verifying the server's certificate chain, so it's really hard to say. The module you're using either doesn't provide good diagnostics, or it's putting them somewhere other than stderr.

It's possible that the module is configuring OpenSSL to not allow wildcard certificates. It's possible that it doesn't have the Comodo root in its trust collection. I'm not offhand seeing any other problems with the certs, though I certainly didn't try to check every possibility. The openssl verify commands you ran will have tested a number of the possible reasons for rejection, but not all of them. (There are options to test other things, but that gets complicated, too; you don't know what checks your failing applications are making.)

The Python issue looks like it's probably the same thing, whatever that thing may be. It's also complaining about certificate verification.

If you can get either of those clients to provide more detailed diagnostics, we might be able to narrow it down. Or someone else on the list might have a better idea.

Certificate validation with the public Internet X.509 PKI hierarchy is a nightmare, to be honest. (Ivan Ristic's /Bulletproof TLS/ book discusses many of the problems; the Cypherpunks presentation "X.509 PKI: The OSI of a New Generation" is another good source.) There are a zillion things that can go wrong, and it's often very difficult to figure out why some particular application is unhappy.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus