lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]




On Wed, May 1, 2019 at 10:45 PM Daurnimator <quae@daurnimator.com> wrote:
On Thu, 2 May 2019 at 15:23, Russell Haley <russ.haley@gmail.com> wrote:
> On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <quae@daurnimator.com> wrote:
>> luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
>> to load your system's trust roots.
>
> I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> ...
>
>
> If I include -CApath /etc/ssl/certs, then everything works fine:
>
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
>
> ...
>
>
> There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.
>
> Russ

When finding CAs, OpenSSL will try to look in the directory:
`getenv(X509_get_default_cert_dir_env())`,
which *should* be `"SSL_CERT_DIR"`

If that env var does not exist, it will look in `X509_get_default_cert_dir()`,
which *should* be `OPENSSLDIR "/certs"`,
where OPENSSLDIR is usually `"/etc/ssl"`,
though you can adjust at ./configure time.

My suspicion is that at configure time you've passed a custom OPENSSLDIR.
How did you compile your OpenSSL?
What options did you pass to configure?
The default configuration used /usr/local/ssl for OPENSSLDIR and the wiki confused me (https://wiki.openssl.org/index.php/Compilation_and_Installation#PREFIX_and_OPENSSLDIR). Thanks for clarifying, I changed OPENSSLDIR to /etc/ssl. I can now get various sites such as FreeBSD.org, verisign.com, google.com but our starfish site seems to be failing on a sslv3 error:

russellh@canary-dev:~/lua/sfiot_client$ ./lua test.lua "https://www.starfishmedical.com"
Failed to retrieve request. No headers. starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Code:

dofile ('init.lua')
local request = require 'http.request'
local rolling_logger = require "logging.rolling_file"
local conf = require('config')

local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
if not logger then
    print("logger failed")
    os.exit(-1)
end

local function logError(msg)
    logger:error(msg)
    print(msg)
end

uri = arg[1]
local req_timeout = 10

local req = request.new_from_uri(uri)

local headers, stream = req:go(req_timeout)
if headers == nil then
    logError(string.format("Failed to retrieve request. No headers. %s", stream))
    os.exit(-2)
end

if not stream then
    logError('Failed to retrieve request. No Stream (check with a urologist).')
    os.exit(-3)
else

    local body, err = stream:get_body_as_string()
    if not body and err then
        logError("No body was returned from the stream. %s", (err or "no error message available"))
    else
        print(body)
    end
end

Feel free to punt on this one, it's not a show stopper (but does annoy me).

Thanks again Daurnimator.
Russ