openssl-users Digest, Vol 97, Issue 13

Pierre-Luc Boily pierreluc.boily at gmail.com
Sun Dec 18 01:47:43 UTC 2022 

Hello M.Dukhovni,

Thank you for your reply.  FYI, you missed an email I sent earlier
yesterday,  I mistakenly replied only to M. Wojcik instead of the openssl
mailing list.  I re-sent the email to the group. In the mail, I dug deeper
in the code and added more information.

In your email, you told me

*But it does not confirm that the server sent a "full" certificate chain*


The screenshot below shows the chrome address bar of my React front end web
page.  The server is https, and I added the CA on the Trusted Root
Certification Authorities store.  It says that my connection is secured.
Does it sound OK ?

[image: image.png]

*It also does not confirm that you've set the correct peer hostname in the
> OpenSSL case*


I created a CA-Signed certificate for my dev sites and I used a SAN :

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 192.168.230.138
IP.2 = 127.0.0.1




 By the way, all of this is for demo/prototype purposes.  I am fully aware
that when we will be ready to go on production, we will have to have a
better understanding of SSL.  Our first prototype iteration is to
demonstrate the feasibility to have a web page communicate with our speech
system on Windows platform using WebRTC.  And WebRTC is available only with
secure connection.

Thank you for reading all of this and thank you for your patience, it is
really appreciated.

Pierre-Luc Boily

Le sam. 17 déc. 2022, à 07 h 00, <openssl-users-request at openssl.org> a
écrit :

> Send openssl-users mailing list submissions to
>         openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>         openssl-users-request at openssl.org
>
> You can reach the person managing the list at
>         openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>    1. Re: How to fix "OpenSSL failed - error:0A000086:SSL
>       routines::certificate verify failed" (Viktor Dukhovni)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 16 Dec 2022 18:38:10 -0500
> From: Viktor Dukhovni <openssl-users at dukhovni.org>
> To: openssl-users at openssl.org
> Subject: Re: How to fix "OpenSSL failed - error:0A000086:SSL
>         routines::certificate verify failed"
> Message-ID: <Y50BYt6lEZjc9/LR at straasha.imrryr.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Fri, Dec 16, 2022 at 05:07:51PM -0500, Pierre-Luc Boily wrote:
>
> >    1. I have a React front end using wss to communicate to my https
> nodejs
> >    server. *It works ->* *This confirms that my key and certificate are
> >    valid.*
>
> But it does not confirm that the server sent a "full" certificate chain,
> with all the required intermediate certificates.  It also does not
> confirm that you've set the correct peer hostname in the OpenSSL case
> (if you don't set the hostname at all, your connection is insecure).
>
> > So, I had to dig into the OpenSSL code and I found where the error is
> > triggered, see code below.  In my case *s->verify_mode* is equal to
> > *SSL_VERIFY_PEER* and *i* equal to *0* and I don't know if those values
> are
> > OK or not.
>
> OpenSSL failed to validat the certificate chain, it could be missing
> intermediate certificates (from the server), or the wrong expected peer
> hostname specified on the client end.  It could also be related to SNI,
> some servers return different certificates depending on what SNI name
> is signalled by the client.
>
> So double-check that the server certificate chain is complete (includes
> all intermediate CA certificates) optionally apart from a root CA (trust
> anchor) configured on the client.
>
> Then ensure that the client application correctly sets the SNI extension
> and the expected peer hostname to check in the server certificate.
>
> --
>     Viktor.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 97, Issue 13
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221217/68131cfd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 5000 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221217/68131cfd/attachment.png>

More information about the openssl-users mailing list