maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   Openssl certs and the files in /etc/certs/common-ca (https://talk.maemo.org/showthread.php?t=94261)

independent 2014-12-04 19:25

Openssl certs and the files in /etc/certs/common-ca
 
Hello all.

Following on from the excellent thread with modest connecting with regards to / sslv3 / tlsv1..

I've been checking to see if openssl connects to various websites securely via the command line.

Code:

openssl s_client  -connect startpage.com:443 -prexit
This outputs the error:
Code:

Verify return code: 20 (unable to get local issuer certificate)
This request does not produce the error
Code:

openssl s_client -CApath /etc/certs/common-ca/ -connect startpage.com:443 -prexit
Which is understandable seeing as /etc/ssl/certs/ is empty except for a null bytes worth of a ca-certificates.crt file.

My reading of this is openssl cannot see the the directory with the ca-certificates in it.
What I have done to try and fix this (to no avail):
- I have tried editing the /etc/ssl/openssl.crt file.
- I have tried symlinking to the /etc/certs/common-ca in several different ways.
- Tried copying the files over.

The reason is I use a version of links-browser with ssl support compiled in. It seems to work but testing with the openssl commands doesn't seem to work. Any ideas?

-----

PS on a completely different note to remove sslv3 (POODLE vulnerability) support in the web browser. Change about:config and set this switch:
security.enable_ssl3 user set boolean false

totalizator 2014-12-09 09:32

Re: Openssl certs and the files in /etc/certs/common-ca
 
I have struggled with validating certificates on N900 recently and this is how I understand it:
Code:

openssl s_client  -connect startpage.com:443 -prexit
Code:

Verify return code: 20 (unable to get local issuer certificate)
This will always end with error as you are not passing location of the certificates to the openssl command like in your next example. It has nothing to do with empty /etc/ssl/certs/ folder. Try it using some other Linux distro and it will end with the same error too.

There is nothing to be fixed.

Applications like links-browser or Alpine email client know the location of certificates because it's provided during compilation as one of configure script arguments: --with-ssl=path for links and --with-ssl-certs-dir=path (for Alpine).

reinob 2014-12-09 15:36

Re: Openssl certs and the files in /etc/certs/common-ca
 
Quote:

Originally Posted by independent (Post 1450680)
The reason is I use a version of links-browser with ssl support compiled in.

And when are you planning to post one or more of the following (in increasing order of niceness :)

(a) the binary .deb
(b) instructions on how you compiled it
(c) announcement of package availability in extras-devel

Cheers.

independent 2014-12-11 08:19

Re: Openssl certs and the files in /etc/certs/common-ca
 
Quote:

Originally Posted by reinob (Post 1451256)
And when are you planning to post one or more of the following (in increasing order of niceness :)
Cheers.

It was two years ago and it's a bin I made when I had a scratchbox install. I transfer it between installs. ..and I forgot I must have linked openssl to /etc/certs/common-ca/ (wireshark shows no http leakage). I don't think anyone wants it ;)


All times are GMT. The time now is 23:09.

vBulletin® Version 3.8.8