curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate

[fabien@…]

Hi,

I've a CA certifcate validation issu with some libraries : cUrl (binary or PHP's extension), php Soap, and propably all library who need to validate CA certificate (openssl issu ?).

I'm under OSX 10.10.3, with the last Xcode.

$wsdl = "https://www.chronopost.fr/recherchebt-ws-cxf/PointRelaisServiceWS?wsdl";
$curl = curl_init($wsdl);
$result = curl_exec($curl);

echo curl_error($curl);

Returns this error :

SSL certificate problem: unable to get local issuer certificate

The unique way I found to solve the issu for cUrl is to use the port "certsync" instead of "curl-ca-bundle". Openssl is still not able to validate CA :

openssl s_client -showcerts -connect www.google.com:443

returns :

....
Verify return code: 20 (unable to get local issuer certificate)

I don't know what to do, is it a bug ?

Thx, Fabien

[mf2k (Frank Schima)]

In the future, please fill in the Port field and Cc the port maintainers (port info --maintainers curl), if any.

[Ionic (Mihai Moldovan)]

Try

openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first

If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option.

[neverpanic (Clemens Lang)]

The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA).

However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by -trusted_first in openssl s_client), but this option needs to be enabled by each software separately.

For curl, see ​https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).

For python, see ​http://bugs.python.org/issue23476 (will be part of 2.7.10).

[xeron (Ivan Larionov)]

Cc Me!

[fabien@…]

Replying to ionic@…:

Try

openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first

If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option.

Hi,

I've tried, but it doesn't work, I've the same return message.

Start Time: 1432401601
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Thx, Fabien

[fabien@…]

Replying to cal@…:

The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA).

However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by -trusted_first in openssl s_client), but this option needs to be enabled by each software separately.

For curl, see ​https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).

For python, see ​http://bugs.python.org/issue23476 (will be part of 2.7.10).

Ok, but how can we explain that cUrl works when certsync is actived, and not with curl-ca-bundle ?

curl https://www.chronopost.fr/recherchebt-ws-cxf/PointRelaisServiceWS?wsdl

Thx, Fabien

[xeron (Ivan Larionov)]

Replying to fabien@…:

Replying to ionic@…:

Try

openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first

If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option.

Hi,

I've tried, but it doesn't work, I've the same return message.

Start Time: 1432401601
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Thx, Fabien

This command has a typo. It should be:

openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/cert.pem -trusted_first

[neverpanic (Clemens Lang)]

Replying to fabien@…:

Ok, but how can we explain that cUrl works when certsync is actived, and not with curl-ca-bundle ?

Easy enough: MacPorts curl uses MacPorts OpenSSL, which is configured to use /opt/local/etc/openssl/cert.pem as default bundle of trusted root CAs. certsync and curl-ca-bundle are two ways to provide this file. certsync exports the certificates your OS X considers trusted (including manually added and excluding manually distrusted or removed ones), while curl-ca-bundle just installs Mozilla's current list of root CAs.

Apple has removed the Equifax root CA, because it was 1024 bit only and thus no longer considered secure. Mozilla has apparently not done this yet, but certainly will soon.

[fabien@…]

Replying to cal@…:

Replying to fabien@…:

Ok, but how can we explain that cUrl works when certsync is actived, and not with curl-ca-bundle ?

Easy enough: MacPorts curl uses MacPorts OpenSSL, which is configured to use /opt/local/etc/openssl/cert.pem as default bundle of trusted root CAs. certsync and curl-ca-bundle are two ways to provide this file. certsync exports the certificates your OS X considers trusted (including manually added and excluding manually distrusted or removed ones), while curl-ca-bundle just installs Mozilla's current list of root CAs.

Apple has removed the Equifax root CA, because it was 1024 bit only and thus no longer considered secure. Mozilla has apparently not done this yet, but certainly will soon.

Thx, it's clearer to me now.

Fabien

[ryandesign (Ryan Carsten Schmidt)]

Replying to cal@…:

For curl, see ​https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).

I just emailed the curl developer to ask what became of this.

[neverpanic (Clemens Lang)]

Meanwhile, python has been updated to 2.7.10, fixing this issue.

[ryandesign (Ryan Carsten Schmidt)]

Replying to cal@…:

Meanwhile, python has been updated to 2.7.10, fixing this issue.

Fixing the issue for python, you mean? The issue remains for curl, right?

[ryandesign (Ryan Carsten Schmidt)]

Replying to ryandesign@…:

Replying to cal@…:

For curl, see ​https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).

I just emailed the curl developer to ask what became of this.

He thought the issue may just have been forgotten, and asked me to bring it back to the mailing list, so I did: ​http://curl.haxx.se/mail/lib-2015-05/0146.html

[neverpanic (Clemens Lang)]

Replying to ryandesign@…:

Fixing the issue for python, you mean? The issue remains for curl, right?

Yes. We may see the same issue in other software as well.

[neverpanic (Clemens Lang)]

cURL has fixed this upstream: ​https://github.com/curl/curl/commit/b8673bb9f05013eef1ae413e15ac995e9d215641.