[squeak-dev] SSL/Socket error code interpretation
Tobias Pape
Das.Linux at gmx.de
Tue May 12 05:43:49 UTC 2020
Hi
> On 12.05.2020, at 07:40, Tobias Pape <Das.Linux at gmx.de> wrote:
>
> Hi tim
>> On 12.05.2020, at 03:48, tim Rowledge <tim at rowledge.org> wrote:
>>
>> I'm trying to make an https connection to a site and it isn't a happy thing.
>>
>> After digging further into the SSL plugin than I ever wanted I found the logLevel setting and set it to 1 in SecureSocketStream>>#sslConnectTo: and got some plausibly useful info out of it.
>> The key item seems to be
>> sqConnectSSL: SSL_get_verify_result = 20
>> and if I've interpreted the code in ~opensmalltalk-vm/platforms/unix/plugins/SqueakSSL/sqUnixOpenSSL.inc and opensmalltalk-vm/platforms/Cross/plugins/SqueakSSL/SqueakSSL.h properly then an error code of 20 means SQSSL_INVALID_CN and SQSSL_CERT_EXPIRED.
>>
>> Can anyone reassure me or correct me on that?
>
> The 20 does not represent a SqueakSSL error code but an OpenSSL one:
>
> 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
> the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
>
> Which probably means that openssl does not find the COMODO issuer cert in its location.
> Maybe we also did not set the path to the local cert store correctly...
>
> When I use openssl s_client from macOS 10.12 OpenSSL (0.9.8), I get a similar result:
>
> $ openssl s_client -connect sagetea.ai:443
> CONNECTED(00000003)
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = sagetea.ai
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ....
>
> same for OpenSSL 1.1 and LibreSSL.
>
> So, unless you have the Comodo intermediate Cert somewhere in a local cert store, 20 is correct.
Aaand this is a common thing since >5 years:
https://stackoverflow.com/questions/25213923/ssl-site-and-browser-warning#25214924
-t
>
> Best regards
> -Tobias
>
>>
>> The problem is that according to the SSL code in *VW* the certificate I get has this info -
>> Validity
>> Not Before: Nov 15 00:00:00 2018 GMT
>> Not After: Nov 14 23:59:59 2020 GMT
>> Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=sagetea.ai
>>
>> ... which looks in-date to me and a fairly reasonable CN.
>>
>> Aaaargh!
>>
>> tim
>
>
>
More information about the Squeak-dev
mailing list
|