SSL Error after upgrading to Fedora 18

list Another Xymon User
Fri, 25 Jan 2013 13:10:15 -0500
Message-Id: <user-663dae5bab80@xymon.invalid>

 

So things are good with an explicit path to the CA bundle. 

Are the
"[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf
correct? Is the geosoft.crt file included in the file pointed to by
"certificate =" in CA_default? (On my F17 systems that is cacert.pem,
which is a slink to /etc/pki/tls/certs/ca-bundle.crt) 

On 2013-01-25
12:16, Jason Chambers wrote:

Not a problem with that. 

*

Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0)

Initializing NSS with certpath: sql:/etc/pki/nssdb

* CAfile:

./geosoft.crt

CApath: none 

* SSL connection using

TLS_RSA_WITH_AES_128_CBC_SHA

* Server certificate: 

• subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft

Inc.,L=Toronto,ST=Ontario,C=CA

* start date: Nov 12 17:31:09 2012

GMT

* expire date: Nov 12 17:31:09 2014 GMT 

* common name:

webapp2013.geosoft.com

* issuer: CN=Geosoft Inc.,DC=geosoft,DC=com

Jason Chambers
Network Administrator | Geosoft
geosoft.com [6]

| blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1
XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX

Trending topic on Earth

Explorer: VOXI Earth Modelling [11]

FROM: Ralph Mitchell

[mailto:user-00a5e44c48c0@xymon.invalid]

SENT: January-25-13 11:11 AM
TO:

Jason Chambers

CC: Henrik Størner; xymon at xymon.com
SUBJECT: Re:

[Xymon] SSL Error after upgrading to Fedora 18

Try handing curl
the CA cert for your internal CA: 

curl -v --cacert
path_to_your_CA_cert.pem https://server.domain.com [12] 

Ralph

Mitchell

On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers

<user-3fa671c0a30d@xymon.invalid> wrote:

I think there might be a bug
in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the
command you gave me and I'm getting this:

CONNECTED(00000003)

write:errno=104

---
no peer certificate available
---
No
client certificate CA names sent
---
SSL handshake has read 0
bytes and written 172 bytes
---
New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE
Expansion:

NONE

---

Which is suggesting that there isn't an SSL
certificate there. Yet when I curl the location:

curl: (60)

Peer's Certificate issuer is not recognized.

More details here:

http://curl.haxx.se/docs/sslcerts.html [1]

curl performs SSL
certificate verification by default, using a "bundle"
of Certificate

Authority (CA) public keys (CA certs). If the default

bundle file
isn't adequate, you can specify an alternate file
using the --cacert
option.
If this HTTPS server uses a certificate signed by a CA
represented in
the bundle, the certificate verification probably
failed due to a
problem with the certificate (it might be expired, or
the name might
not match the domain name in the URL).
If you'd
like to turn off curl's verification of the certificate, use
the -k

(or --insecure) option.

Would this be everyone elses conclusion
as well? 

Jason Chambers
Network Administrator | Geosoft

geosoft.com [2] | blog | twitter | linkedIn | facebook | T +1
XXX.XXX.XXXX #344 [3] | M +X XXX.XXX.XXXX [4]

Trending topic on

Earth Explorer: VOXI Earth Modelling

-----Original

Message-----

From: xymon-bounces at xymon.com

[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner

Sent:

January-25-13 1:38 AM

To: xymon at xymon.com
Subject: Re: [Xymon] SSL

Error after upgrading to Fedora 18

On 24-01-2013 21:43, Jason

Chambers wrote:

I just upgraded to Fedora 18, and now servers that
have SSL signed by
our internal CA is failing. The http test simply
shows "SSL error"
meanwhile our public (GoDaddy) certs aren't
causing issues. Is there a
log file I can peer into to find out why

I'm getting these error

messages all of a sudden?

No
logfile, but try running "openssl s_client -connect IPADDRESS:PORT".

This performs a connect and SSL handshake, which is basically the same
as what Xymon does.

I suppose the standard openssl.cnf is used by

OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed
in relation to how openssl performs automatic certificate validation ?
Would surprise me, though.

Regards,
Henrik

Xymon mailing
list

[5]

 
Links:
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com