WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: ca-certs  (Read 2897 times)

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1063
ca-certs
« on: December 26, 2016, 09:50:14 AM »
For some reason git/curl refused to work without a ca-bundle.crt today.   I downloaded the latest and put it in /usr/local/etc/pki/certs/ca-bundle.crt  And everything was happy.

I can understand you not wanting to maintain cert extensions, but Is there an official way of obtaining certs for the various applications in piCore?

Also, openssl doesn't have any certs either, I've struggled getting any ca-certs openssl to work.

Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7183
    • My Community Forum
Re: ca-certs
« Reply #1 on: December 26, 2016, 05:00:21 PM »
ca-certificates.tcz added to repo and as a dependency to openssl.tcz which is updated. Tested with curl, wget and git.

Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1063
Re: ca-certs
« Reply #2 on: December 27, 2016, 09:18:56 AM »
gnu wget works, anyway too fix busybox wget from the openssl side of things?   Right now busybox wget is not secure as it doesn't care if the cert validates.

busybox wget opens opensll with the following command line
Code: [Select]
1209 tc       wget https://github.com/Logitech/slimserver.git
 1210 tc       [openssl]
 1211 tc       openssl s_client -quiet -connect github.com:443

When openssl is opened with the above command line, it still cannot find the local certificate, but doesn't care.
Code: [Select]
tc@devel:~$ openssl s_client  -connect github.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
(I removed the cert for space)
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3642 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FB29F471CAB5726CE9202B2F21239489EB8C233CEA9F62E0DA53DCCEA2DA779F
    Session-ID-ctx:
    Master-Key: 7F3074A29D156515EE919A02807C9E302BC0317A9A321D2C6B774A7553D2AB9525486588BF81517D8495694CB56EE963
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1482856990
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

When told where to find the cert, Now it verifies the cert okay
Code: [Select]
tc@devel:~$ openssl s_client -CAfile /usr/local/etc/pki/certs/ca-bundle.crt  -connect github.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 5157550, street = "88 Colin P Kelly, Jr Street", postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
Certificate removed.
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3642 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 742638626D4E66499027715747184A6229C8D6F989D19D1FC689271C8BDF1090
    Session-ID-ctx:
    Master-Key: 0471A0EE5EE3EE6737CD969A437EBF46152477D37625EBA99548F3A82FFE70AAE983F64B60A1A21F054189579A6A2D63
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1482857075
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7183
    • My Community Forum
Re: ca-certs
« Reply #3 on: December 28, 2016, 06:31:48 AM »
openssl certicates fixed, update ca-certificates.tcz
Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1063
Re: ca-certs
« Reply #4 on: December 28, 2016, 01:15:32 PM »
openssl now can verify certs without any special commands.   Unfortunately busybox wget still doesn't care if the cert validates.  This is probably a busybox source problem to fix.  They need to add -verify_return_error to their connect string, and then do something with it.  Unless there is a way to make openssl exit on cert validation error.

I was just looking at the busybox 1.26 change log.  While it appears that they are working on openssl compatability, they are moving to a different helper binary.