Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Nov 2015 17:23:33 +0000
From:      Oliver Schonrock <oliver@schonrocks.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: openssl: verify error:num=20:unable to get local issuer certificate
Message-ID:  <565B3495.40005@schonrocks.com>
In-Reply-To: <565B2ACD.4030509@schonrocks.com>
References:  <565B2ACD.4030509@schonrocks.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

just a little more info

On 29/11/15 16:41, Oliver Schonrock wrote:
> 2. there is something wrong with the openssl installation on that
> 10.1 machine.

I install openssl from ports to test:
pkg install openssl

/usr/local/bin/openssl s_client -connect api.textmarketer.co.uk:443
2>&1 | less

depth=2 C = US, O = "thawte, Inc.", OU = Certification Services
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN =
thawte Primary Root CA
verify return:1

works!...so does that mean my openssl in the base system is messed up?

(I also compared my /etc/ssl/openssl.cnf with the working 10.2
machine, and that's identical as well).

Is it this upgrade below??? Is there any way to validate openssl, or
reinstall it in base?

> I did upgrade this machine from 10.0 to 10.1 using freebsd-update
> on October 16th 2015 (too late I know, could that be the issue?). I
> also installed the recent updates for ntpd vulnerabilities etc. I
> did reboot after those.
> 
> Suspiciously, that problematic 10.1 machine was validating that
> exact cert path fine before the upgrade from 10.0. I know this
> because userland applications, like curl, are being used regularly
> to connect to that very site and I have logs to prove that it was
> working ...and now doesn't. I have put a workaround in place to get
> curl to connect untrusted, but that's not good, clearly. It also
> worries me what else is not working, or not secure?



- -- 
Oliver Schönrock
Mobile   : +44 7880 617 446
email    : oliver@schonrocks.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJWWzSVAAoJEF6SumULDx4PV+QH/RSbuej4QgLblRLJzOiOHT+6
Nn+zysDiyOlFXv6ZwTYrFN8gK77pAQLfkpd03kw+i2CyRoj9UUnDMPRAi18QM1PS
9jGpKxxLDNP2hMjqtnmDSUJ3S1suezUKfqwKeGVKp1eKuQ/pr4IH9XYLn9o0mnAL
XbPojBCDdw89srbOWtf2OrvsqMvUs4V78QAcn8AuANQMrKlHCw+Nwims8mp6xGc4
qmW04c7M1CO7J27qm3WuWt6ggEPQLSq1G0Y16P4ChP6ScixwYVzZpAlgv/hkDjjk
75xQ7R1At+2vr0tM/3hybllnl9QMjD9gk1Gd607XvcXu3MxsUKcYBnXf+Wy0h4I=
=CVgE
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?565B3495.40005>