On Thu, 2 May 2019 at 15:23, Russell Haley <russ.haley@gmail.com> wrote:
> On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <quae@daurnimator.com> wrote:
>> luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
>> to load your system's trust roots.
>
> I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
> 0 s:CN = starfishmedical.com
> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> ...
>
>
> If I include -CApath /etc/ssl/certs, then everything works fine:
>
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
> 0 s:CN = starfishmedical.com
> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
>
> ...
>
>
> There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.
>
> Russ
When finding CAs, OpenSSL will try to look in the directory:
`getenv(X509_get_default_cert_dir_env())`,
which *should* be `"SSL_CERT_DIR"`
If that env var does not exist, it will look in `X509_get_default_cert_dir()`,
which *should* be `OPENSSLDIR "/certs"`,
where OPENSSLDIR is usually `"/etc/ssl"`,
though you can adjust at ./configure time.
My suspicion is that at configure time you've passed a custom OPENSSLDIR.
How did you compile your OpenSSL?
What options did you pass to configure?
russellh@canary-dev:~/lua/sfiot_client$ ./lua test.lua "
https://www.starfishmedical.com"
Failed to retrieve request. No headers. starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Code:
dofile ('init.lua')
local request = require 'http.request'
local rolling_logger = require "logging.rolling_file"
local conf = require('config')
local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
if not logger then
print("logger failed")
os.exit(-1)
end
local function logError(msg)
logger:error(msg)
print(msg)
end
uri = arg[1]
local req_timeout = 10
local req = request.new_from_uri(uri)
local headers, stream = req:go(req_timeout)
if headers == nil then
logError(string.format("Failed to retrieve request. No headers. %s", stream))
os.exit(-2)
end
if not stream then
logError('Failed to retrieve request. No Stream (check with a urologist).')
os.exit(-3)
else
local body, err = stream:get_body_as_string()
if not body and err then
logError("No body was returned from the stream. %s", (err or "no error message available"))
else
print(body)
end
end
Feel free to punt on this one, it's not a show stopper (but does annoy me).
Thanks again Daurnimator.
Russ
