Findings With Latest 7.07-2.el6

Oliver Hernandez mr.oliver.hernandez at gmail.com
Mon Jul 25 06:07:15 PDT 2016


Actually, I had trouble building with OpenSSL, and installed GNU TLS
2.12.23 and built OpenConnect against that.  Indeed, my particular
server is using a bad certificate, which is probably why I was
instructed to use the --no-cert-check option.

On Thu, Jul 14, 2016 at 4:12 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Wed, 2016-07-13 at 21:22 -0400, Oliver Hernandez wrote:
>> I'll send you the requested info.
>>
>> I'm comparing to v7.06 built for EL6, posted by Nikos
>> Mavrogiannopoulos to the mailing list in an earlier thread I started.
>
> The one which is now released as an official update for EL6, but
> without PKCS#11 support? That doesn't work for your server either,
> AFAICT; its behaviour is identical.
>
> Your server is misconfigured; it's presenting its own certificate but
> *not* the supporting intermediate certificate on the wire.
>
> So a client which has only the root CA isn't going to work because
> there's a missing link and it can't tie your server's cert to the root
> CA.
>
> If you supply only the *intermediate* CA to the client as --cafile,
> that's where it gets interesting. If you are building with GnuTLS
> (which you aren't on EL6), it works fine. GnuTLS trusts the CA it was
> told to trust, and allows the server's certificate.
>
> OpenSSL doesn't. I have some vague recollection of looking at this
> quite recently... it refuses to trust a non-self-signed CA in the same
> way that it would a self-signed one. So supplying the intermediate CA
> in the --cafile option doesn't help.
>
> As a workaround, add *both* CAs to the same file (just append them) and
> use that. It'll trust the root CA, and it'll *see* the intermediate one
> (that the server *ought* to have been providing on the wire), and be
> able to use it to build up the chain to the trusted root.
>
> You can reproduce this with
>  openssl s_client -connect $server:443 -CAfile foo.pem
>
> I think this should probably be considered an OpenSSL bug. It happens
> with 1.0.2 and 1.1 (HEAD) too, FWIW.
>
> --
> David Woodhouse                            Open Source Technology Centre
> David.Woodhouse at intel.com                              Intel Corporation



More information about the openconnect-devel mailing list