Thread: How to test SSL cert from CA?
Have a client using a commercial application. For a year plus we had been using a local self signed certificate without issues. As of a few weeks ago a change/update to the program is making it complain about the self signed cert. I bought a SSL cert and installed it, but the program is still having the issue. Anyone knows of a way to test the SSL connection such that it validates against the CA? Preferably an open source application. Connecting through psql works fine on SSL with what I have setup, but the application, xtuple, seems to still be having the issue. The client already wrote to the application support department, but still waiting for an answer from them. If I had a way to at least reproduce the error I could more easily track down what I am missing. Any suggestions?
Francisco Reyes <lists@natserv.net> writes: > Have a client using a commercial application. For a year plus we had > been using a local self signed certificate without issues. As of a few > weeks ago a change/update to the program is making it complain about the > self signed cert. What's the complaint exactly? A whole lot of stuff has been broken lately by recent changes in OpenSSL that make it reject certs with smaller key sizes. You might need to re-generate your cert with a larger size. regards, tom lane
On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes <lists@natserv.net> wrote:
Anyone knows of a way to test the SSL connection such that it validates against the CA? Preferably an open source application. Connecting through psql works fine on SSL with what I have setup, but the application, xtuple, seems to still be having the issue.
openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem
check the man page for more options that will help you.
Here is what a bad connection looks like. This particular server does not send along the necessary intermediate certificate:
% openssl s_client -connect filer:443
CONNECTED(00000003)
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify error:num=21:unable to verify the first certificate
verify return:1
[ ... ]
Start Time: 1436468482
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Here's what a good connection looks like where the server sends the necessary intermediate certificate:
% openssl s_client -connect vk-dev:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify return:1
[ ... ]
Start Time: 1436468764
Timeout : 300 (sec)
Verify return code: 0 (ok)
The -verify_return_error option may help you as well.
On 07/08/2015 10:52 PM, Tom Lane wrote: > What's the complaint exactly? The error we are getting is: The security of this transaction may be compromised. The following SSL errors have been reported: * The issuer certificate of a locally looked up certificate could not be found. * The root CA certificate is not trusted for this purpose
On 07/09/2015 03:07 PM, Vick Khera wrote: > > On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes <lists@natserv.net > <mailto:lists@natserv.net>> wrote: > > openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem According to this post: http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1 one can not use openssl to test ssl connection to postgresql. True?
Francisco Reyes <lists@natserv.net> writes: > On 07/09/2015 03:07 PM, Vick Khera wrote: >> openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem > According to this post: > http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1 > one can not use openssl to test ssl connection to postgresql. True? I should think you can't; it wouldn't know to send the initial packet that asks the server to initiate SSL mode. I found this in the man page for s_client mode: -starttls protocol send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp". So they've certainly heard of such issues, and you could imagine adding a "-starttls postgresql" variant, but it's not there now ... at least not in the OpenSSL version that ships in RHEL6. regards, tom lane
On Thu, Jul 9, 2015 at 9:29 PM, Francisco Reyes <lists@natserv.net> wrote:
On 07/09/2015 03:07 PM, Vick Khera wrote:
On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes <lists@natserv.net
<mailto:lists@natserv.net>> wrote:
openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem
According to this post: http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1
one can not use openssl to test ssl connection to postgresql. True?
If you think the problem might be with the certificate itself, then take postgresql out of the loop entirely by installing that certificate to be used by apache (for instance) instead of by postgresql. Then use s_client against apache.
Cheers,
Jeff
>>>>> "FR" == Francisco Reyes <lists@natserv.net> writes: FR> I bought a SSL cert and installed it, but the program is still having FR> the issue. Did you include the intermediate cert(s) in the bundle which the server presents to the client? And did you confirm that the client trusts the issuer's root? Some require explicit configurastion of that. -JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
>>>>> "VK" == Vick Khera <vivek@khera.org> writes: VK> openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem See: http://debian-administration.org/users/dkg/weblog/103 Also, check out: https://github.com/nabla-c0d3/sslyze You'll need to add support for pg's protocol, but it should be straight forward to do so.-JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
On 07/11/2015 07:32 PM, James Cloos wrote: >>>>>> "FR" == Francisco Reyes <lists@natserv.net> writes: > Did you include the intermediate cert(s) in the bundle which the server > presents to the client? Yes. > And did you confirm that the client trusts the issuer's root? Some > require explicit configurastion of that. The client in this case is a program a client of mine runs. I don't have access to the program