[squeak-dev] SSL/Socket error code interpretationTobias Pape Das.Linux at gmx.deTue May 12 05:40:09 UTC 2020
Hi tim > On 12.05.2020, at 03:48, tim Rowledge <tim at rowledge.org> wrote: > > I'm trying to make an https connection to a site and it isn't a happy thing. > > After digging further into the SSL plugin than I ever wanted I found the logLevel setting and set it to 1 in SecureSocketStream>>#sslConnectTo: and got some plausibly useful info out of it. > The key item seems to be > sqConnectSSL: SSL_get_verify_result = 20 > and if I've interpreted the code in ~opensmalltalk-vm/platforms/unix/plugins/SqueakSSL/sqUnixOpenSSL.inc and opensmalltalk-vm/platforms/Cross/plugins/SqueakSSL/SqueakSSL.h properly then an error code of 20 means SQSSL_INVALID_CN and SQSSL_CERT_EXPIRED. > > Can anyone reassure me or correct me on that? The 20 does not represent a SqueakSSL error code but an OpenSSL one: 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. Which probably means that openssl does not find the COMODO issuer cert in its location. Maybe we also did not set the path to the local cert store correctly... When I use openssl s_client from macOS 10.12 OpenSSL (0.9.8), I get a similar result: $ openssl s_client -connect sagetea.ai:443 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = sagetea.ai verify error:num=21:unable to verify the first certificate verify return:1 .... same for OpenSSL 1.1 and LibreSSL. So, unless you have the Comodo intermediate Cert somewhere in a local cert store, 20 is correct. Best regards -Tobias > > The problem is that according to the SSL code in *VW* the certificate I get has this info - > Validity > Not Before: Nov 15 00:00:00 2018 GMT > Not After: Nov 14 23:59:59 2020 GMT > Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=sagetea.ai > > ... which looks in-date to me and a fairly reasonable CN. > > Aaaargh! > > tim
More information about the Squeak-dev mailing list |