Article delegate-en/4068 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4067@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
16 Aug 2008 13:48:19 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Monika,

In message <_A4067@delegate-en.ML_> on 08/14/08(19:01:54)
you Monika Schilling <p3ehqbdyi-omp2wgzucalr.ml@ml.delegate.org> wrote:
 |>  |Thank you for the pointer. I checked DeleGate 9.8.3 with the new way of
 |>  |configuration via files under CERTDIR. Everything works as expected.
 |>  | There is no need for using the trick with the OpenSSL environment
 |>  | variable SSL_CERT_DIR as with version 9.7.7.
 |>
 |> Is it true? 
 |> ...
 |
 |Yes! I just now checked it again. 
...
 |As you see the certificates under "/etc/ssl/certs", where a copy of the 
 |appropriate certificate "thawteCp.pem" is stored, are not taken into account. 
 |As a consequence verification fails.

Your log does not include the status of "/etc/ssl/certs" so I can't
confirm it.  For example, the failure could occur if /etc/ssl/certs is
empty, or thawteCp.pem is lacking, or the default cert directory is not
/etc/ssl/certs (by SSL_CERT_DIR environment variable or so).

It will be helpful to compaire the log (of the default "CERTDIR/ca-sv.pem")
with the log of "-CAfile cert.pem" in which you said you saw a success with
the farther retrieval in the default (/etc/ssl/certs).

But anyway, I'm sure that the simple code of my sslway.c to set the default
certificate store works equivalently in either case.
I tested it with OpenSSL0.9.8h with a patch as enclosed for the certificate
store (by_dir.c and by_file.c).
The resulst shows that OpenSSL retrieves the default certificate directory
regardless of how a user specify a non-default certificate file.

server:
  delegated \
  -P9999 -fv \
  DGROOT=/var/tmp/dgroot \
  MOUNT="/* https://www.1und1.de/*"
  TLSCONF=-vd \
    STLS="fsv,sslway -Vrfy" ### with CACERT/ca-sv.pem -> vsign1.pem  ...(A)

    STLS="fsv,sslway -Vrfy -CAfile cacert/vsign1.pem"                ...(B)


    STLS="fsv,sslway -Vrfy -CAfile cacert/thawteCp.pem"              ...(C)


    STLS="fsv,sslway -Vrfy" ### with CACERT/ca-sv.nodefault          ...(D)

client:
  delegated -Fdget http://localhost:9999 -h -o

certificate:
  DEFAULT: /usr/local/ssl/certs: (copy of /etc/ssl/certs of SUSE)
  DeleGate CERTDIR: /var/tmp/dgroot/etc/certs


#### (A) verified ####
08/16 22:27:01.84 [15151] 1+1: ## SSLway start
----by_file_ctrl [/var/tmp/dgroot/etc/certs/ca-sv.pem]
08/16 22:27:01.85 [15151] 1+1: ## SSLway CAs = OK [/var/tmp/dgroot/etc/certs/ca-sv.pem][(NULL)]
----by_file_ctrl [(NULL)]
----by_file_ctrl DFLT[/usr/local/ssl/cert.pem] ok=0
----add_cert_dir [/usr/local/ssl/certs]
**** (the default dir. added to the cert. store)
----add_cert_dir [/usr/local/ssl/certs] (1)
----dir_ctrl(/usr/local/ssl/certs) DFLT ret=1
08/16 22:27:01.86 [15151] 1+1: ## SSLway CAs = OK, set the DEFAULT
08/16 22:27:01.86 [15151] 1+1: ## SSLway -- TLSxSNI: send lo
----get_cert_by_subj.dir 110DB80
----get_cert_by_subj.dir num=1
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs
**** (retrieving in the default cert. dir)
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs/c33a80d4.0
----load_cert_ctrl /usr/local/ssl/certs/c33a80d4.0
----load_cert_ctrl /usr/local/ssl/certs/c33a80d4.0 = 1
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs/c33a80d4.1
**** (hit in the default cert. dir)
08/16 22:27:02.14 [15151] 1+1: ## SSLway depth=1/-1 ok=1 0:"ok"

#### (B) verified ####
08/16 22:22:41.25 [15111] 1+1: ## SSLway start
----by_file_ctrl [/var/tmp/dgroot/etc/certs/vsign1.pem]
08/16 22:22:41.27 [15111] 1+1: ## SSLway CAs = OK [/var/tmp/dgroot/etc/certs/vsign1.pem][(NULL)]
----by_file_ctrl [(NULL)]
----by_file_ctrl DFLT[/usr/local/ssl/cert.pem] ok=0
----add_cert_dir [/usr/local/ssl/certs]
----add_cert_dir [/usr/local/ssl/certs] (1)
----dir_ctrl(/usr/local/ssl/certs) DFLT ret=1
08/16 22:22:41.27 [15111] 1+1: ## SSLway CAs = OK, set the DEFAULT
08/16 22:22:41.27 [15111] 1+1: ## SSLway -- TLSxSNI: send lo
----get_cert_by_subj.dir 110DE80
----get_cert_by_subj.dir num=1
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs/c33a80d4.0
----load_cert_ctrl /usr/local/ssl/certs/c33a80d4.0
----load_cert_ctrl /usr/local/ssl/certs/c33a80d4.0 = 1
----get_cert_by_subj.dir 0/1 /usr/local/ssl/certs/c33a80d4.1
08/16 22:22:41.58 [15111] 1+1: ## SSLway depth=1/-1 ok=1 0:"ok"

#### (C) verified ####
08/16 22:21:38.20 [15106] 1+1: ## SSLway start
----by_file_ctrl [/var/tmp/dgroot/etc/certs/thawteCp.pem]
08/16 22:21:38.22 [15106] 1+1: ## SSLway CAs = OK [/var/tmp/dgroot/etc/certs/thawteCp.pem][(NULL)]
----by_file_ctrl [(NULL)]
----by_file_ctrl DFLT[/usr/local/ssl/cert.pem] ok=0
----add_cert_dir [/usr/local/ssl/certs]
----add_cert_dir [/usr/local/ssl/certs] (1)
----dir_ctrl(/usr/local/ssl/certs) DFLT ret=1
08/16 22:21:38.22 [15106] 1+1: ## SSLway CAs = OK, set the DEFAULT
08/16 22:21:38.23 [15106] 1+1: ## SSLway -- TLSxSNI: send lo
08/16 22:21:38.50 [15106] 1+1: ## SSLway depth=1/-1 ok=1 0:"ok" ...

#### (D) error ####
08/16 22:29:35.89 [15184] 1+1: ## SSLway start
----by_file_ctrl [/var/tmp/dgroot/etc/certs/ca-sv.pem]
08/16 22:29:35.91 [15184] 1+1: ## SSLway CAs = OK [/var/tmp/dgroot/etc/certs/ca-sv.pem][(NULL)]
08/16 22:29:35.91 [15184] 1+1: ## SSLway CAs = no DEFAULT
08/16 22:29:35.91 [15184] 1+1: ## SSLway -- TLSxSNI: send lo
08/16 22:29:36.20 [15184] 1+1: ## SSLway depth=0/-1 ok=0 20:"unable to get local issuer certificate"

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


diff -c openssl-0.9.8h/crypto/x509/by_dir.c ./crypto/x509/by_dir.c
*** openssl-0.9.8h/crypto/x509/by_dir.c	Mon Feb 19 02:23:20 2007
--- ./crypto/x509/by_dir.c	Sat Aug 16 22:36:07 2008
***************
*** 129,141 ****
--- 129,146 ----
  			else
  				ret=add_cert_dir(ld,X509_get_default_cert_dir(),
  					X509_FILETYPE_PEM);
+ fprintf(stderr,"----dir_ctrl(%s) DFLT ret=%d\n",
+ dir?dir:X509_get_default_cert_dir(),ret);
  			if (!ret)
  				{
  				X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
  				}
  			}
  		else
+ {
+ fprintf(stderr,"----dir_ctrl(%s) ret=%d\n",argp,ret);
  			ret=add_cert_dir(ld,argp,(int)argl);
+ }
  		break;
  		}
  	return(ret);
***************
*** 181,188 ****
--- 186,195 ----
  	const char *s,*ss,*p;
  	char **pp;
  
+ fprintf(stderr,"----add_cert_dir [%s]\n",dir?dir:NULL);
  	if (dir == NULL || !*dir)
  	    {
+ fprintf(stderr,"----emp--add_cert_dir [%s]\n",dir?dir:NULL);
  	    X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
  	    return 0;
  	    }
***************
*** 232,237 ****
--- 239,245 ----
  			strncpy(ctx->dirs[ctx->num_dirs],ss,(unsigned int)len);
  			ctx->dirs[ctx->num_dirs][len]='\0';
  			ctx->num_dirs++;
+ fprintf(stderr,"----add_cert_dir [%s] (%d)\n",dir?dir:NULL,ctx->num_dirs);
  			}
  		if (*p == '\0') break;
  		}
***************
*** 260,265 ****
--- 268,274 ----
  	X509_OBJECT stmp,*tmp;
  	const char *postfix="";
  
+ fprintf(stderr,"----get_cert_by_subj.dir %X\n",name);
  	if (name == NULL) return(0);
  
  	stmp.type=type;
***************
*** 292,299 ****
--- 301,311 ----
  	ctx=(BY_DIR *)xl->method_data;
  
  	h=X509_NAME_hash(name);
+ fprintf(stderr,"----get_cert_by_subj.dir num=%d\n",ctx->num_dirs);
  	for (i=0; i<ctx->num_dirs; i++)
  		{
+ fprintf(stderr,"----get_cert_by_subj.dir %d/%d %s\n",
+ i,ctx->num_dirs,ctx->dirs[i]);
  		j=strlen(ctx->dirs[i])+1+8+6+1+1;
  		if (!BUF_MEM_grow(b,j))
  			{
***************
*** 336,341 ****
--- 348,355 ----
  					postfix,k);
  				}
  			k++;
+ fprintf(stderr,"----get_cert_by_subj.dir %d/%d %s\n",
+ i,ctx->num_dirs,b->data);
  			if (stat(b->data,&st) < 0)
  				break;
  			/* found one. */
diff -c openssl-0.9.8h/crypto/x509/by_file.c ./crypto/x509/by_file.c
*** openssl-0.9.8h/crypto/x509/by_file.c	Sun Dec  5 06:25:51 2004
--- ./crypto/x509/by_file.c	Sat Aug 16 21:42:25 2008
***************
*** 95,100 ****
--- 95,101 ----
  	int ok=0;
  	char *file;
  
+ fprintf(stderr,"----by_file_ctrl [%s]\n",argp?argp:"(NULL)");
  	switch (cmd)
  		{
  	case X509_L_FILE_LOAD:
***************
*** 109,114 ****
--- 110,117 ----
  				ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
  					      X509_FILETYPE_PEM) != 0);
  
+ fprintf(stderr,"----by_file_ctrl DFLT[%s] ok=%d\n",
+ file?file:X509_get_default_cert_file(),ok);
  			if (!ok)
  				{
  				X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
***************
*** 137,142 ****
--- 140,146 ----
  	if (file == NULL) return(1);
  	in=BIO_new(BIO_s_file_internal());
  
+ fprintf(stderr,"----load_cert_ctrl %s\n",file?file:"");
  	if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
  		{
  		X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
***************
*** 164,169 ****
--- 168,174 ----
  					}
  				}
  			i=X509_STORE_add_cert(ctx->store_ctx,x);
+ fprintf(stderr,"----load_cert_ctrl %s = %d\n",file?file:"",i);
  			if (!i) goto err;
  			count++;
  			X509_free(x);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V