Monday, 15 March 2010

ssl - s_client certificate validation fails in Windows for login.live.com -


I downloaded it and put it on the default location C: \ OpenSSL-Win32 . I copied the file into C: \ openSSL-Win32Bin and participated:

  C: OpenSSL-Win32 \ bin> gtc; Openssl s_client -connect login.live Com: 443 -Suffy CA-bundle Verification of the certificate chain with the CRT  

message fails:

Confirm the return code: 20 (Get the local issuer certificate disabled)

Using the same command with the same file on Debian VG with OpenSSL Version 1.0.1e:

Verify the return code: 0 (OK)

If I change the hostname to api.onedrive.com (the same command) then return me to return code and Receive Pas is: 0 (right) both Windows and Linux.

Am I doing something wrong or is there a known bug? How can I work for it on Windows for login.live.com ?

(Initially, I stumbled upon this problem, but now it looks like an OpenSSL issue.)

s_client has an undocumented property (or perhaps a longer bug), if you give the option -Cafile , it was not only provided The CA will investigate against the file itself, rather than the default system (even on Debian at / usr / lib / ssl / certs ). If you use the files during verification, you will see the following code:

  $ strace - If you set the  openssl s_client  to  strace < Open with open / code> openl s_client -connect login.live.com:443 -Cafeail ca-bundle.crt ... open ("ca-bundle.crt", O_RDONLY) = 3 ("/ usr / Lib / ssl / cert.pem ", O_RDONLY) = -1 ENOENT (no such file or directory) ... open (" / usr / lib / ssl / certs / 415660c1.0 ", O_RDONLY) = 4 open (" / Usr / lib / ssl / certs / 415660c1.1 ", O_RDONLY) = 4  

With this output you can see that it is only CAF Does not use IEL, but it also tries to use / usr / lib /ssl/cert.pem (does not exist) and then the subject hash 415660c1 / usr / lib / ssl / certs . Eventually he finds the original CA, which he is looking for in 415660c1.1 :

  $ openssl x509 -in / usr / lib / ssl / certs / 415660c1 1 -text ... Issuer: C = US, O = VeriSine, Inc, OU = Class 3 Public Primary Certification Authority ... Subject: C = U.S., O = VeriSign, Inc, OU = Class 3 Public Primary CERTIFICATION AUTHORITY  

Because of the OpenSSL (this can not use the Windows CA store) any system default on Windows At the same time, the verification there will fail.

As for api.onedrive.com : There is another trust chain in it and can be fully verified with the given CA bundle. Output from stress shows that it is / usr / lib / ssl / certs . /


No comments:

Post a Comment