Bug 79548 - [openssl] Certificate tests failing : "SSL Certificate Verification Error for weasel-juice.org"
Summary: [openssl] Certificate tests failing : "SSL Certificate Verification Error for...
Status: RESOLVED FIXED
Alias: None
Product: Wocky
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords:
: 93492 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-06-02 12:51 UTC by Guillaume Desmottes
Modified: 2016-07-09 07:48 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
log (15.67 KB, text/plain)
2014-06-03 11:23 UTC, Guillaume Desmottes
Details
Update CRL to fix TLS validation Errors (4.39 KB, patch)
2015-12-25 00:28 UTC, diane
Details | Splinter Review
Update CRL including keeping the revoked certificate. (4.22 KB, patch)
2016-01-12 18:34 UTC, diane
Details | Splinter Review
Final version of fix (4.27 KB, text/plain)
2016-04-18 05:09 UTC, diane
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guillaume Desmottes 2014-06-02 12:51:32 UTC
Wocky master.

Loads of tests are failing with:

wocky-connector-test:ERROR:wocky-connector-test.c:3562:run_test: assertion failed (error == NULL): SSL Certificate Verification Error for weasel-juice.org (wocky-tls-cert-error, 12)
Comment 1 Simon McVittie 2014-06-03 11:06:46 UTC
That's WOCKY_TLS_CERT_UNKNOWN_ERROR. A debug log with WOCKY_DEBUG=all WOCKY_TLS_DEBUG_LEVEL=1 might be informative? (Or increase the debug level if needed, it goes up to 9.)
Comment 2 Guillaume Desmottes 2014-06-03 11:23:37 UTC
Created attachment 100353 [details]
log

Doesn't seem to contain much useful info.
Comment 3 Simon McVittie 2014-06-03 14:41:46 UTC
Is this with GNUTLS or OpenSSL? GNUTLS is the recommended code path, but iirc "BIO" is OpenSSL jargon?
Comment 4 Guillaume Desmottes 2014-06-03 14:58:56 UTC
Indeed that's with openssl. With gnutls the test crashes: bug #79594
Comment 5 diane 2015-12-24 07:02:30 UTC
I traced this error with gdb. 

12 is coming from the openssl call SSL_get_verify_result, the openssl verify docs say that is:

 12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired

openssl crl -in tests/certs/ca-0-crl.pem -text

shows this:

    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=UK/O=Collabora/OU=Wocky Test Suite/ST=Confused/CN=Wocky XMPP Library
        Last Update: May 10 16:43:50 2012 GMT
        Next Update: May 10 16:43:50 2013 GMT
        CRL extensions:

I'm trying to figure out how to adjust the openssl config files in tests/certs to work with the current openssl, as its pretty clear the fix is to generate an updated CRL.
Comment 6 diane 2015-12-24 07:05:31 UTC
*** Bug 93492 has been marked as a duplicate of this bug. ***
Comment 7 diane 2015-12-25 00:27:42 UTC
I figured out how to update the CRL. Attached patch includes a CRL updated for 5 years and reminder to how to update it in the future. Perhaps the perfect patch would either include a test for the CRL being expired in the future or a build target to update the CRL.
Comment 8 diane 2015-12-25 00:28:39 UTC
Created attachment 120679 [details] [review]
Update CRL to fix TLS validation Errors
Comment 9 diane 2016-01-12 18:34:34 UTC
Created attachment 120991 [details] [review]
Update CRL including keeping the revoked certificate.

In my first attempt to fix this I didn't realize that the CRL included a revoked certificate, so after my update a different set of tests would fail.

In my second attempt I updated the CRL, improved the documentation about how to upate the CRL, and replaced  the second copy of the CRL in the tests/certs/crl/ directory with a symlink -- because its easier to remember to update one copy than two.
Comment 10 diane 2016-04-18 05:09:32 UTC
Created attachment 123020 [details]
Final version of fix

I squished all my changes into a single commit, and made git a bit happier by adding a newline to the end of tests/certs/ca-0-crl.cfg
Comment 11 George Kiagiadakis 2016-06-12 09:27:49 UTC
(In reply to diane from comment #10)
> Created attachment 123020 [details]
> Final version of fix

Looks good to me.

The commit message seems to repeat some information, though:
"Additionally update the example crl update command line." -> this is already mentioned above, isn't it? "...how to update the CRL when it expires"
Comment 12 diane 2016-06-12 18:28:12 UTC
Fix committed as d5e28416fd95b57207f334217f9523c401f6013a
Comment 13 George Kiagiadakis 2016-07-09 07:48:49 UTC
Btw, this never happened with gnutls. This reveals the interesting fact that gnutls does not check the CRL expiry date...

Also, it looks like you committed a CRL which is only for 1 year. Maybe you updated the template afterwards?

Last Update: Jan 12 05:46:37 2016 GMT
Next Update: Jan 11 05:46:37 2017 GMT

I have regenerated it now to last until 2021.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.