0

I know this will be a huge post, but I wanted to present a problem that I am facing by essentially giving all the details of it.

Background I have an application which triggers firefox to fetch URL data and present the individual component load time of all components in a web page (like Firebug). However the application does not validate ssl certs automatically (i.e it gets stuck up if there is a bad certificate as there is no user to manually accept/reject a certificate and it is all done programmatically). I need to solve this issue by trying to validate the site's certificate before the firefox process is started.

My solution

I found this bit of C code that does verification of SSL certs programmatically in C. I am giving a brief overview of it. this is the main() method:

SSL_library_init();
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();

/* Set up the SSL context */
ctx = SSL_CTX_new(SSLv23_client_method());

/* Load the trust store - in this case, it's just a single
 * certificate that has been created for testing purposes.
 */

if(! SSL_CTX_load_verify_locations(ctx,"certificate.pem",NULL))
{
    fprintf(stderr, "Error loading trust store\n");
    //ERR_print_errors_fp(stderr);
    SSL_CTX_free(ctx);
    return 0;
}

/* Setup the connection */
bio = BIO_new_ssl_connect(ctx);

/* Set the SSL_MODE_AUTO_RETRY flag */

BIO_get_ssl(bio, & ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

/* Create and setup the connection */

BIO_set_conn_hostname(bio, "mail.google.com:https");

fprintf(stderr, "Connecting to host ...\n");

if(BIO_do_connect(bio) <= 0)
{
    fprintf(stderr, "Error attempting to connect: %d\n",BIO_do_connect(bio));
    //ERR_print_errors_fp(stderr);
    BIO_free_all(bio);
    SSL_CTX_free(ctx);
    return 0;
}
/* Retrieve the peer certificate */

fprintf(stderr, "Retrieving peer certificate\n");
if(getPeerCert(ssl, & peerCert) != X509_V_OK)
{
    /* Can be changed to better handle a suspect certificate. However,
     * for the purposes of this demonstration, we're aborting.
     */
    fprintf(stderr, "Certificate verification error: %i\n",SSL_get_verify_result(ssl));
    BIO_free_all(bio);
    SSL_CTX_free(ctx);
    return 0;
}

I am leaving out the getPeerCert() method's defenition as it gets the peer cert and verifies using openssl's methods.

Also the certificate.pem is a pem file obtained by following the steps for the solution to this question.

However When I try to run this i get

Connecting to host ...
Retrieving peer certificate
Certificate verification error: 20

I am unable to see why this should happen as the verification should succeed. I would be grateful and glad to any help that I can get.

Update 1

I tried using the open SSL command and tried calling the command from code i.e. the 

opensssl verify -CAfile ./ca-bundle.crt cert1...

However I found that it validates internal and external certs, it also seemed to validate certs (internal) that should actually be bad (specifically bad domain certs). I would greatly appreciate any insight into this.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Hari
  • 709
  • 2
  • 9
  • 13
  • 1
    Are you trying to make two connections? One first with your application to verify the certificate, and then one with Firefox? In this case, technically, you don't really know whether Firefox is presented with the same cert, so there's little point verifying the first one. I'm not quite sure why you'd use Firefox to get your page. There's a number of HTTP client libs out there, with SSL/TLS support, which would be more appropriate to do this. – Bruno May 27 '11 at 19:13
  • Hi The firefox part is to simulate what real users with/without a prime cache would get to see. I am not sure I understood your question about different ecrts being presented though. I verify this first and if it fails i don't spin up firefox at all. – Hari May 27 '11 at 19:21
  • My Real concern though is that even after getting the certificates required. This fails and I don't know why – Hari May 27 '11 at 19:33
  • **An update:** I was able to get this working for internal sites although i am unable to do so for any external site that uses SSL certs like gmail/facebook etc – Hari May 27 '11 at 22:22

3 Answers3

2
opensssl verify -CAfile ./ca-bundle.crt -untrusted cert1...

see this article, but I don't know yet how to do it programatically..

http://www.herongyang.com/crypto/openssl_verify_2.html\

andrewsi
  • 10,807
  • 132
  • 35
  • 51
Diego Betancor
  • 29
  • 2
1

The specific error you are are getting is

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

Try putting the gmail issuer, and not the gmail certificate, into certificate.pem.

Also, make sure you understand Bruno's first comment on your question.

Jumbogram
  • 2,249
  • 1
  • 20
  • 24
  • Thanks..This may sound stupid. But I am not an expert in this. Even after putting the issuer certificate I am getting this error. and I have no clue! – Hari May 27 '11 at 20:50
0

User CertificateFactory to get instance of X509 cert and validate using generateCertificate method this is lib in java security

try{
    CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
    X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(${certificate});
catch (CertificateException ex){}

cmd to verify cert

openssl x509 -text -noout
ngg
  • 1,493
  • 19
  • 14