[MacPorts] #47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ----------------------+-------------------------------- Reporter: fabien@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Keywords: | Port: ----------------------+-------------------------------- Hi, I've a CA certifcate validation issu with some libraries : cUrl (binary or PHP's extension), php Soap, and propably all library who need to validate CA certificate (openssl issu ?). I'm under OSX 10.10.3, with the last Xcode. {{{ $wsdl = "https://www.chronopost.fr/recherchebt-ws- cxf/PointRelaisServiceWS?wsdl"; $curl = curl_init($wsdl); $result = curl_exec($curl); echo curl_error($curl); }}} Returns this error : {{{ SSL certificate problem: unable to get local issuer certificate }}} The unique way I found to solve the issu for cUrl is to use the port "certsync" instead of "curl-ca-bundle". Openssl is still not able to validate CA : {{{ openssl s_client -showcerts -connect www.google.com:443 }}} returns : {{{ .... Verify return code: 20 (unable to get local issuer certificate) }}} I don't know what to do, is it a bug ? Thx, Fabien -- Ticket URL: <https://trac.macports.org/ticket/47805> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate -----------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl | -----------------------+-------------------------- Changes (by mf2k@…): * owner: macports-tickets@… => ryandesign@… * port: => curl Comment: In the future, please fill in the Port field and Cc the port maintainers ({{{port info --maintainers curl}}}), if any. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:1> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Changes (by mf2k@…): * cc: larryv@…, cal@… (added) * port: curl => curl openssl -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:2> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Changes (by larryv@…): * cc: ionic@… (added) -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:3> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by ionic@…): Try {{{ openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first }}} If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:4> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by cal@…): The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA). However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by `-trusted_first` in `openssl s_client`), but this option needs to be enabled by each software separately. For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html. For python, see http://bugs.python.org/issue23476 (will be part of 2.7.10). -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:5> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by fabien@…): Replying to [comment:4 ionic@…]:
Try
{{{ openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first }}}
If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option.
Hi, I've tried, but it doesn't work, I've the same return message. {{{ Start Time: 1432401601 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) }}} Thx, Fabien -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:7> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by fabien@…): Replying to [comment:5 cal@…]:
The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA).
However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by `-trusted_first` in `openssl s_client`), but this option needs to be enabled by each software separately.
For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).
For python, see http://bugs.python.org/issue23476 (will be part of 2.7.10).
[[BR]] Ok, but how can we explain that cUrl works when '''certsync''' is actived, and not with '''curl-ca-bundle''' ? {{{ curl https://www.chronopost.fr/recherchebt-ws- cxf/PointRelaisServiceWS?wsdl }}} Thx, Fabien -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:8> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by xeron.oskom@…): Replying to [comment:7 fabien@…]:
Replying to [comment:4 ionic@…]:
Try
{{{ openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/certs.pem -trusted_first }}}
If that works, uhm... I don't know either. Maybe we'll have to patch curl to support this new option.
Hi,
I've tried, but it doesn't work, I've the same return message.
{{{ Start Time: 1432401601 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) }}}
Thx, Fabien
This command has a typo. It should be: {{{ openssl s_client -showcerts -connect www.google.com:443 -CAfile /opt/local/etc/openssl/cert.pem -trusted_first }}} -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:9> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by cal@…): Replying to [comment:8 fabien@…]:
Ok, but how can we explain that cUrl works when '''certsync''' is actived, and not with '''curl-ca-bundle''' ?
Easy enough: MacPorts curl uses MacPorts OpenSSL, which is configured to use `/opt/local/etc/openssl/cert.pem` as default bundle of trusted root CAs. `certsync` and `curl-ca-bundle` are two ways to provide this file. `certsync` exports the certificates your OS X considers trusted (including manually added and excluding manually distrusted or removed ones), while `curl-ca-bundle` just installs Mozilla's current list of root CAs. Apple has removed the Equifax root CA, because it was 1024 bit only and thus no longer considered secure. Mozilla has apparently not done this yet, but certainly will soon. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:10> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by fabien@…): Replying to [comment:10 cal@…]:
Replying to [comment:8 fabien@…]:
Ok, but how can we explain that cUrl works when '''certsync''' is actived, and not with '''curl-ca-bundle''' ?
Easy enough: MacPorts curl uses MacPorts OpenSSL, which is configured to use `/opt/local/etc/openssl/cert.pem` as default bundle of trusted root CAs. `certsync` and `curl-ca-bundle` are two ways to provide this file. `certsync` exports the certificates your OS X considers trusted (including manually added and excluding manually distrusted or removed ones), while `curl-ca-bundle` just installs Mozilla's current list of root CAs.
Apple has removed the Equifax root CA, because it was 1024 bit only and thus no longer considered secure. Mozilla has apparently not done this yet, but certainly will soon.
Thx, it's clearer to me now. Fabien -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:11> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by ryandesign@…): Replying to [comment:5 cal@…]:
For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).
I just emailed the curl developer to ask what became of this. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:12> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by cal@…): Meanwhile, python has been updated to 2.7.10, fixing this issue. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:13> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by ryandesign@…): Replying to [comment:13 cal@…]:
Meanwhile, python has been updated to 2.7.10, fixing this issue.
Fixing the issue for python, you mean? The issue remains for curl, right? -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:14> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by ryandesign@…): Replying to [comment:12 ryandesign@…]:
Replying to [comment:5 cal@…]:
For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).
I just emailed the curl developer to ask what became of this.
He thought the issue may just have been forgotten, and asked me to bring it back to the mailing list, so I did: http://curl.haxx.se/mail/lib-2015-05/0146.html -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:15> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by cal@…): Replying to [comment:14 ryandesign@…]:
Fixing the issue for python, you mean? The issue remains for curl, right?
Yes. We may see the same issue in other software as well. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:16> MacPorts <https://www.macports.org/> Ports system for OS X
#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: fixed | Keywords: Port: curl openssl | ---------------------------+-------------------------- Changes (by cal@…): * status: new => closed * resolution: => fixed Comment: cURL has fixed this upstream: https://github.com/curl/curl/commit/b8673bb9f05013eef1ae413e15ac995e9d215641. -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:17> MacPorts <https://www.macports.org/> Ports system for macOS
participants (1)
-
MacPorts