6 votes

Pourquoi ma nouvelle Ubuntu 12.04 est incapable de vérifier un certificat ssl de Verisign ?

En bref : Cette demande échoue.

$ curl 'https://secure.ogone.com/ncol/prod/orderstandard.asp' -vv
* About to connect() to secure.ogone.com port 443 (#0)
*   Trying 213.254.248.101... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to secure.ogone.com:443 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to secure.ogone.com:443 

Je suis conscient des risques de sécurité liés à sslv2, qui nécessitent que certaines connexions soient manuellement configurées en sslv1 ou sslv3.

Mais cela ne fonctionne pas non plus :

$ curl 'https://secure.ogone.com/ncol/prod/orderstandard.asp' -3
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Si je visite le site web dans un navigateur web, le certificat se vérifie sans problème.

J'utilise une image ubuntu 12.04 nue provenant du cloud amazon aws ec2 (64 bits, un des modèles standard de l'assistant ec2...).

Je ne sais pas vraiment comment commencer à déboguer cela, pourriez-vous m'indiquer la bonne direction ?

voici d'autres informations qui pourraient vous être utiles :

$ openssl s_client -connect secure.ogone.com:443
CONNECTED(00000003)
140292983105184:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

et avec ssl3

$ openssl s_client -connect secure.ogone.com:443 -ssl3
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=V1.0, Clause 5.(b)/serialNumber=0459.360.623/C=BE/ST=Bruxelles-Capitale/L=Bruxelles/O=ogone sa/OU=System and Security Department/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.ogone.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGOjCCBSKgAwIBAgIQCwc32mrm6LjjQI1bqD859TANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTAwOTI3MDAwMDAwWhcNMTIxMTI1MjM1OTU5WjCCARMxEzARBgsrBgEEAYI3
PAIBAxMCQkUxGzAZBgNVBA8TElYxLjAsIENsYXVzZSA1LihiKTEVMBMGA1UEBRMM
MDQ1OS4zNjAuNjIzMQswCQYDVQQGEwJCRTEbMBkGA1UECBQSQnJ1eGVsbGVzLUNh
cGl0YWxlMRIwEAYDVQQHFAlCcnV4ZWxsZXMxETAPBgNVBAoUCG9nb25lIHNhMScw
JQYDVQQLFB5TeXN0ZW0gYW5kIFNlY3VyaXR5IERlcGFydG1lbnQxMzAxBgNVBAsU
KlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEZMBcG
A1UEAxQQc2VjdXJlLm9nb25lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANRrC72j2Glzo6Z6NcMXGVEIyoZx3s74Q3ZQ1o0NSIyhS/0pHnZ0JUcd
S3qEJ3e1As2cMD303gOGWrCM96uBENTUK/Zdyq117yIhdLmgJjPWJWUgRdMrfZNU
LiOKYs2GkXmNGHzFiTTh5aFWdJKD8qcY0RIaGJX6h/p9YMfn/n8bTijgIaTJeZFv
BLE6C10R54G2pX6cIN9cW86MCUCnAskVVf6To/IetH5LPSHj6HPXpSzUKWgdKGlO
gQlQ2L+o/4fuemDRkZck2LEM6q0OXC2X19M/2pJYG8f/HJf52b+KHhGMnk0MTZ0Z
Ki/MWRMCSbnB+4ZNAXkwcn9+7NxnCrcCAwEAAaOCAdowggHWMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgWgMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA+BgNVHR8ENzA1MDOg
MaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5j
cmwwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEGCisG
AQQBgjcKAwMwHwYDVR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLVvd8wbwYIKwYB
BQUHAQEEYzBhMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w
OQYIKwYBBQUHMAKGLWh0dHA6Ly9FVkludGwtYWlhLnZlcmlzaWduLmNvbS9FVklu
dGwyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw
ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9n
by52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAIwD
Q6sJ7b/xtQmnZjcNL/2Xn3Fb6C28EDMZrTTU+Kz1HNSGH559MZ64O6eq7y6Opm8T
WMHNxJzLaBJr8P+lfmLSl9yBgIGi7Yn/cXewZ/cdHfZ/0RJNZTeFcItnqTraVZ1m
GOQ5371uH+ZM04WMbtx+m8oZOo0EVOgXEhlyTKfssY0Eh9aC/gR/icKmTVO1e7UG
+rWnsZHgSPqQ8GNmmLdU4xeGtui35aUO5jkY77hyD0vEbzUVVu6I7QkKIca1bHXW
vCSruz+f/RDCDWMhDnvHHdfQCh/Vz7k7tR+5l3fzb94xNg6p8tUZlcaJo6afSgf8
6K1m5u1J1UF78fQ7D+I=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=V1.0, Clause 5.(b)/serialNumber=0459.360.623/C=BE/ST=Bruxelles-Capitale/L=Bruxelles/O=ogone sa/OU=System and Security Department/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.ogone.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 4647 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 6855CEA279C3DFBDE13EB6548FA84232F24326CAC2871ECDF7958C7F3A439E43
    Session-ID-ctx: 
    Master-Key: 493A03042D257B55049D85D17A54E0CD006F5CF6A41596FD73B8444EA79849F419CD02747AA4C1AE16BF15D525E541ED
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1344874575
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

(le programme ne sort pas et accepte stdin)

0 votes

Odd. Je n'ai pas d'instance 12.04 pour tester cela pour le moment, mais je peux confirmer que la première commande curl fonctionne avec cette URL lorsque je l'exécute sur Mac (Mountain Lion), Centos 5/6, et sur Lucid.

0 votes

Je n'avais pas de problème avec lucid non plus. j'ai installé beaucoup d'instancen sur amazon, maintenant avec la nouvelle version ça ne marche plus....

7voto

bain Points 173

Exécuter update-ca-certificates --fresh . Certaines installations d'Ubuntu 12.04 n'ont pas les liens symboliques dans /etc/ssl/certs (/etc/ssl/certs/ee1365c0.0 etc.) Sans ces liens symboliques, les applications qui en dépendent (comme openssl, wget, curl) échoueront.

1voto

utopiabound Points 156

Vous pouvez obtenir plus d'informations sur ce qui se passe en courant :

openssl s_client -connect secure.ogone.com:443

J'ai vérifié à partir de Centos 5.8, 6.3, et Fedora 17, et ils voient tous la chaîne de certificats comme parfaitement valide.

La connexion semble être SSLv3, SSL_RSA_WITH_RC4_128_MD5 ce qui semble raisonnable.

SistemesEz.com

SystemesEZ est une communauté de sysadmins où vous pouvez résoudre vos problèmes et vos doutes. Vous pouvez consulter les questions des autres sysadmins, poser vos propres questions ou résoudre celles des autres.

Powered by:

X