| Summary: | [openssl] Certificate tests failing : "SSL Certificate Verification Error for weasel-juice.org" | ||
|---|---|---|---|
| Product: | Wocky | Reporter: | Guillaume Desmottes <guillaume.desmottes> |
| Component: | General | Assignee: | Telepathy bugs list <telepathy-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Telepathy bugs list <telepathy-bugs> |
| Severity: | normal | ||
| Priority: | medium | CC: | diane |
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
log
Update CRL to fix TLS validation Errors Update CRL including keeping the revoked certificate. Final version of fix |
||
|
Description
Guillaume Desmottes
2014-06-02 12:51:32 UTC
That's WOCKY_TLS_CERT_UNKNOWN_ERROR. A debug log with WOCKY_DEBUG=all WOCKY_TLS_DEBUG_LEVEL=1 might be informative? (Or increase the debug level if needed, it goes up to 9.) Created attachment 100353 [details]
log
Doesn't seem to contain much useful info.
Is this with GNUTLS or OpenSSL? GNUTLS is the recommended code path, but iirc "BIO" is OpenSSL jargon? Indeed that's with openssl. With gnutls the test crashes: bug #79594 I traced this error with gdb.
12 is coming from the openssl call SSL_get_verify_result, the openssl verify docs say that is:
12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
openssl crl -in tests/certs/ca-0-crl.pem -text
shows this:
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=UK/O=Collabora/OU=Wocky Test Suite/ST=Confused/CN=Wocky XMPP Library
Last Update: May 10 16:43:50 2012 GMT
Next Update: May 10 16:43:50 2013 GMT
CRL extensions:
I'm trying to figure out how to adjust the openssl config files in tests/certs to work with the current openssl, as its pretty clear the fix is to generate an updated CRL.
*** Bug 93492 has been marked as a duplicate of this bug. *** I figured out how to update the CRL. Attached patch includes a CRL updated for 5 years and reminder to how to update it in the future. Perhaps the perfect patch would either include a test for the CRL being expired in the future or a build target to update the CRL. Created attachment 120679 [details] [review] Update CRL to fix TLS validation Errors Created attachment 120991 [details] [review] Update CRL including keeping the revoked certificate. In my first attempt to fix this I didn't realize that the CRL included a revoked certificate, so after my update a different set of tests would fail. In my second attempt I updated the CRL, improved the documentation about how to upate the CRL, and replaced the second copy of the CRL in the tests/certs/crl/ directory with a symlink -- because its easier to remember to update one copy than two. Created attachment 123020 [details]
Final version of fix
I squished all my changes into a single commit, and made git a bit happier by adding a newline to the end of tests/certs/ca-0-crl.cfg
(In reply to diane from comment #10) > Created attachment 123020 [details] > Final version of fix Looks good to me. The commit message seems to repeat some information, though: "Additionally update the example crl update command line." -> this is already mentioned above, isn't it? "...how to update the CRL when it expires" Fix committed as d5e28416fd95b57207f334217f9523c401f6013a Btw, this never happened with gnutls. This reveals the interesting fact that gnutls does not check the CRL expiry date... Also, it looks like you committed a CRL which is only for 1 year. Maybe you updated the template afterwards? Last Update: Jan 12 05:46:37 2016 GMT Next Update: Jan 11 05:46:37 2017 GMT I have regenerated it now to last until 2021. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.