Active Topics

 


Reply
Thread Tools
Posts: 78 | Thanked: 84 times | Joined on Aug 2012
#1
Hello all.

Following on from the excellent thread with modest connecting with regards to / sslv3 / tlsv1..

I've been checking to see if openssl connects to various websites securely via the command line.

Code:
openssl s_client  -connect startpage.com:443 -prexit
This outputs the error:
Code:
Verify return code: 20 (unable to get local issuer certificate)
This request does not produce the error
Code:
openssl s_client -CApath /etc/certs/common-ca/ -connect startpage.com:443 -prexit
Which is understandable seeing as /etc/ssl/certs/ is empty except for a null bytes worth of a ca-certificates.crt file.

My reading of this is openssl cannot see the the directory with the ca-certificates in it.
What I have done to try and fix this (to no avail):
- I have tried editing the /etc/ssl/openssl.crt file.
- I have tried symlinking to the /etc/certs/common-ca in several different ways.
- Tried copying the files over.

The reason is I use a version of links-browser with ssl support compiled in. It seems to work but testing with the openssl commands doesn't seem to work. Any ideas?

-----

PS on a completely different note to remove sslv3 (POODLE vulnerability) support in the web browser. Change about:config and set this switch:
security.enable_ssl3 user set boolean false

Last edited by independent; 2014-12-04 at 19:38.
 
totalizator's Avatar
Posts: 47 | Thanked: 118 times | Joined on Jan 2009 @ Krakow, POLAND
#2
I have struggled with validating certificates on N900 recently and this is how I understand it:
Code:
openssl s_client  -connect startpage.com:443 -prexit
Code:
Verify return code: 20 (unable to get local issuer certificate)
This will always end with error as you are not passing location of the certificates to the openssl command like in your next example. It has nothing to do with empty /etc/ssl/certs/ folder. Try it using some other Linux distro and it will end with the same error too.

There is nothing to be fixed.

Applications like links-browser or Alpine email client know the location of certificates because it's provided during compilation as one of configure script arguments: --with-ssl=path for links and --with-ssl-certs-dir=path (for Alpine).
 

The Following 2 Users Say Thank You to totalizator For This Useful Post:
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#3
Originally Posted by independent View Post
The reason is I use a version of links-browser with ssl support compiled in.
And when are you planning to post one or more of the following (in increasing order of niceness

(a) the binary .deb
(b) instructions on how you compiled it
(c) announcement of package availability in extras-devel

Cheers.
 

The Following 2 Users Say Thank You to reinob For This Useful Post:
Posts: 78 | Thanked: 84 times | Joined on Aug 2012
#4
Originally Posted by reinob View Post
And when are you planning to post one or more of the following (in increasing order of niceness
Cheers.
It was two years ago and it's a bin I made when I had a scratchbox install. I transfer it between installs. ..and I forgot I must have linked openssl to /etc/certs/common-ca/ (wireshark shows no http leakage). I don't think anyone wants it
 

The Following 2 Users Say Thank You to independent For This Useful Post:
Reply

Tags
openssl


 
Forum Jump


All times are GMT. The time now is 08:07.