SSL verify error: 20 about dexador HOT 8 OPEN

fukamachi commented on July 16, 2024

SSL verify error: 20

from dexador.

Comments (8)

anquegi commented on July 16, 2024 1

I also have the same problem using mac os x sierra, updating /etc/ssl/certs.pem with the one in the repo and with OpenSSL 1.0.2k 26 Jan 2017, it works for me on https facebook, https api github but fail on google.

The problem with google is that it seems that the one signing their certificate is Equifax Secure Certificate Authority and not geo trust, so for that case it was not working

you can download here

 toni@MacBook-Pro-de-Antonio  ~  openssl s_client -showcerts -connect www.google.com:443 </dev/null                                    ✓  594  14:07:09
CONNECTED(00000004)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIINyDCnCO0MiMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwMzIyMTYyNzEwWhcNMTcwNjE0MTYxNjAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVrVNv
L6B81zNgm56bilaXuOe7g8AKbgmYIkV+Ad41nCivyNRWXtRjfuyk2qY/+fbyphVp
m1lEDWJBbZy+AN4MW3FbOqtMsbggEUTcdw82DgjRRMOnqAZI4ng2IebDYMildb0h
CJMw+r3Cu8eCMRrwstBCbmxe+GrVv76kFxIsi3Zk29wqgiFylVGNs2GO6aWtA6fz
Lj52yLHNh+DTO/rWjgFbuAybeUdwE3Q5rG775rZExtFp3SVjaIx9tg+oF+SecUgu
p3Ou2Vv51W4Gy91JILVhV8LI4KdEIyn5HELT3wxo6HSse5AzwsIJBYcRdBJHse4A
8Q7W6Lwz4hgGvC+fAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBRcBQJNWi/xVq/0QRhuiMBZiA+pEzAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANbjJt2SUvv2FZZbE
yEAiPXAYS9XkH+EmcwNPrs3I2nUpRrKNxIJvn8K5+g8Zbo1PIPuUra7/T1HGAi28
9exGwTk9Lam/NHBOafBX6JlSaD8y/NTO0KirUyl8S/8Wq+uJLJDy5hDhg+jabaGw
QEu4Xs/dm4sUn1e29OOyL9X6GOLRuU0dFRZIpfRyhj8xejq1UqnYtIz2xBog/oID
JMoKmt0COGM9N/qnJib6QQqhvaJefy6IqWooLxIh/nD7ttZmZ62JKXSSDO3nA9nO
6uDbwJQAspmgF0uj4YTc7mTxojwMVovrNR2ea/9SngQjEOrZRCLQn6iK2ToauegC
33L1Ag==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD
VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov
L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt
10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN
tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA
EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs
eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt
F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS
wSHGFg==
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3727 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: C68A067FAA6FF10B2C17816AF23BC7FCBAF1927E151405031130FB522815928A
    Session-ID-ctx:
    Master-Key: F039C62C36F904ADF3DF4869521CEB9BB12C63EB5AA09D46ADDC87AEF29F42EB2DB736278C82321C026F902E18B5D440
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - e8 b6 61 0d 50 ff 7a 76-83 b3 c9 52 7c b1 ae 6b   ..a.P.zv...R|..k
    0010 - 9f f4 67 ed d3 38 6e 9a-20 d6 32 cc 63 ca ac ab   ..g..8n. .2.c...
    0020 - f6 b7 e9 0e e4 df d8 a8-bf ab ae cc 86 09 ad 32   ...............2
    0030 - 14 62 da c4 50 79 08 1f-43 e6 31 3e 72 a5 8a 52   .b..Py..C.1>r..R
    0040 - 77 e8 f4 32 be 59 6f 83-ab f8 36 38 f5 9d 4e 51   w..2.Yo...68..NQ
    0050 - cf 01 b1 ad 6e d1 37 75-7b 6f d1 fd 8a 04 8e 0b   ....n.7u{o......
    0060 - 19 d9 5f 36 93 24 51 d1-aa 86 79 db 60 d9 d1 04   .._6.$Q...y.`...
    0070 - 39 b5 f8 b6 a6 b6 3f 91-8b 09 c4 9e b0 8a 59 d6   9.....?.......Y.
    0080 - e0 dc 41 05 4f f9 1d 39-ef 0c b9 93 55 10 b6 7d   ..A.O..9....U..}
    0090 - c8 14 f1 ea d3 32 47 fa-c4 73 19 f1 79 f5 6b 40   .....2G..s..y.k@
    00a0 - 56 e6 72 cf                                       V.r.

    Start Time: 1490962049
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I also have the Equifax Secure Certificate Authority, /etc/ssl/certs.pem but there is not in the one that you provide in this repo so if I use the one in my computer and the one download from geotrust it works well.

(dex:get "https://www.google.com" :ca-path "/Users/toni/Downloads/Equifax_Secure_Certificate_Authority.pem")

(dex:get "https://www.google.com" :ca-path "/etc/ssl/cert.pem")

So the problem in this case was having the correct CA certificate

from dexador.

fukamachi commented on July 16, 2024

That is an error when failed to verify the SSL certificate with OpenSSL. Typically, the reason is missing of a certification file, like /etc/ssl/cert.pem. Have you tried other HTTP clients like curl to access to the endpoint? What version of OpenSSL is installed? 2017年1月30日(月) 2:37 SANO,Masatoshi <[email protected]>:

…

on travis ci environment I couldn't access https://api.github.com using dexador. does anyone know how to fix it? detail https://github.com/snmsts/experiment/tree/dexador201701 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#29>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFhyu_1fgTKYyp4PBYL94zONGA1ekpwks5rXM5zgaJpZM4Lw2X1> .

from dexador.

snmsts commented on July 16, 2024

Thank you. I checked openssl version anad curl access.

https://travis-ci.org/snmsts/experiment/builds/196384519

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

$ curl -v https://api.github.com
* Rebuilt URL to: https://api.github.com/
* Hostname was NOT found in DNS cache
*   Trying 192.30.253.117...
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* 	 subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* 	 start date: 2014-04-08 00:00:00 GMT
* 	 expire date: 2017-04-12 12:00:00 GMT
* 	 subjectAltName: api.github.com matched
* 	 issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.github.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server GitHub.com is not blacklisted
< Server: GitHub.com
< Date: Sun, 29 Jan 2017 18:34:03 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 2165
< Status: 200 OK
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 59
< X-RateLimit-Reset: 1485718443
< Cache-Control: public, max-age=60, s-maxage=60
< Vary: Accept
< ETag: "7dc470913f1fe9bb6c7355b50a0737bc"
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Vary: Accept-Encoding
< X-Served-By: 2811da37fbdda4367181b328b22b2499
< X-GitHub-Request-Id: DA86:03E8:513B8F9:6A319A5:588E359B
< 
{
  "current_user_url": "https://api.github.com/user",
  "current_user_authorizations_html_url": "https://github.com/settings/connections/applications{/client_id}",
  "authorizations_url": "https://api.github.com/authorizations",
  "code_search_url": "https://api.github.com/search/code?q={query}{&page,per_page,sort,order}",
  "commit_search_url": "https://api.github.com/search/commits?q={query}{&page,per_page,sort,order}",
  "emails_url": "https://api.github.com/user/emails",
  "emojis_url": "https://api.github.com/emojis",
  "events_url": "https://api.github.com/events",
  "feeds_url": "https://api.github.com/feeds",
  "followers_url": "https://api.github.com/user/followers",
  "following_url": "https://api.github.com/user/following{/target}",
  "gists_url": "https://api.github.com/gists{/gist_id}",
  "hub_url": "https://api.github.com/hub",
  "issue_search_url": "https://api.github.com/search/issues?q={query}{&page,per_page,sort,order}",
  "issues_url": "https://api.github.com/issues",
  "keys_url": "https://api.github.com/user/keys",
  "notifications_url": "https://api.github.com/notifications",
  "organization_repositories_url": "https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}",
  "organization_url": "https://api.github.com/orgs/{org}",
  "public_gists_url": "https://api.github.com/gists/public",
  "rate_limit_url": "https://api.github.com/rate_limit",
  "repository_url": "https://api.github.com/repos/{owner}/{repo}",
  "repository_search_url": "https://api.github.com/search/repositories?q={query}{&page,per_page,sort,order}",
  "current_user_repositories_url": "https://api.github.com/user/repos{?type,page,per_page,sort}",
  "starred_url": "https://api.github.com/user/starred{/owner}{/repo}",
  "starred_gists_url": "https://api.github.com/gists/starred",
  "team_url": "https://api.github.com/teams",
  "user_url": "https://api.github.com/users/{user}",
  "user_organizations_url": "https://api.github.com/user/orgs",
  "user_repositories_url": "https://api.github.com/users/{user}/repos{?type,page,per_page,sort}",
  "user_search_url": "https://api.github.com/search/users?q={query}{&page,per_page,sort,order}"
}
* Connection #0 to host api.github.com left intact

name of cert file?

from dexador.

fukamachi commented on July 16, 2024

It may be related to SSLv3 is disabled by default in CL+SSL, so Dexador tries to connect with TLS 1.2.

cf travis-ci/travis-ci#4757

from dexador.

snmsts commented on July 16, 2024

thank you.
it's quite tricky...

from dexador.

fukamachi commented on July 16, 2024

SSL verification of Dexador is quite new and not mature at all.
It would be better to specify the verification setting in Dexador easily, however, using cl+ssl:make-context to allow SSLv3 is the only option for now, I guess.

from dexador.

snmsts commented on July 16, 2024

Sure.I think I need to try sslv3 (don't know how though) and ask cl+ssl guys as well.

from dexador.

ron-premier commented on July 16, 2024

For future searches: when using dexador behind an SSL proxy (like ZScaler), set the ca-path to the root certificate provided by your organization.

Without specifying the ca-path:

CL-USER> (dex:get "http://www.lisp.org")
; Debugger entered on #<CL+SSL:SSL-ERROR-VERIFY {10031E3D03}>

Then again with ca-path specified:

[1] CL-USER> (dex:get "http://www.lisp.org" :ca-path "/Users/Ron/Library/CloudStorage/OneDrive/Reference Materials/ZScalerRootCA.pem")
"<HTML>
<HEAD>
  <title>John McCarthy, 1927-2011</title>
  <STYLE type="text/css">
    BODY {text-align: center}
  </STYLE>
</HEAD>
<BODY>
<h1>John McCarthy</h1>
<img src="jmccolor.jpg" alt="a picture ...[sly-elided string of length 459]"
200 (8 bits, #xC8, #o310, #b11001000)
#<HASH-TABLE :TEST EQUAL :COUNT 10 {1003E617E3}>
#<QURI.URI.HTTP:URI-HTTPS https://www.lisp.org/>
NIL

from dexador.

SSL verify error: 20 about dexador HOT 8 OPEN

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent