[squeak-dev] SSL/Socket error code interpretationTobias Pape Das.Linux at gmx.deTue May 12 05:43:49 UTC 2020
Hi > On 12.05.2020, at 07:40, Tobias Pape <Das.Linux at gmx.de> wrote: > > Hi tim >> On 12.05.2020, at 03:48, tim Rowledge <tim at rowledge.org> wrote: >> >> I'm trying to make an https connection to a site and it isn't a happy thing. >> >> After digging further into the SSL plugin than I ever wanted I found the logLevel setting and set it to 1 in SecureSocketStream>>#sslConnectTo: and got some plausibly useful info out of it. >> The key item seems to be >> sqConnectSSL: SSL_get_verify_result = 20 >> and if I've interpreted the code in ~opensmalltalk-vm/platforms/unix/plugins/SqueakSSL/sqUnixOpenSSL.inc and opensmalltalk-vm/platforms/Cross/plugins/SqueakSSL/SqueakSSL.h properly then an error code of 20 means SQSSL_INVALID_CN and SQSSL_CERT_EXPIRED. >> >> Can anyone reassure me or correct me on that? > > The 20 does not represent a SqueakSSL error code but an OpenSSL one: > > 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate > the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. > > Which probably means that openssl does not find the COMODO issuer cert in its location. > Maybe we also did not set the path to the local cert store correctly... > > When I use openssl s_client from macOS 10.12 OpenSSL (0.9.8), I get a similar result: > > $ openssl s_client -connect sagetea.ai:443 > CONNECTED(00000003) > depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = sagetea.ai > verify error:num=21:unable to verify the first certificate > verify return:1 > .... > > same for OpenSSL 1.1 and LibreSSL. > > So, unless you have the Comodo intermediate Cert somewhere in a local cert store, 20 is correct. Aaand this is a common thing since >5 years: https://stackoverflow.com/questions/25213923/ssl-site-and-browser-warning#25214924 -t > > Best regards > -Tobias > >> >> The problem is that according to the SSL code in *VW* the certificate I get has this info - >> Validity >> Not Before: Nov 15 00:00:00 2018 GMT >> Not After: Nov 14 23:59:59 2020 GMT >> Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=sagetea.ai >> >> ... which looks in-date to me and a fairly reasonable CN. >> >> Aaaargh! >> >> tim > > >
More information about the Squeak-dev mailing list |