Learn about Centmin Mod LEMP Stack today
Register Now

[Solved] LibreSSL unknown CA issue with Google IPv6

Discussion in 'Bug Reports' started by Matt, May 8, 2017.

  1. Matt

    Matt Well-Known Member

    882
    398
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +630
    Local Time:
    9:08 PM
    1.5.15
    MariaDB 10.2
    Myself and @Amin Sabet have started getting this same error now, when the server tries to connect to Google via IPV6

    upload_2017-5-8_8-36-38.png

    Code:
    # whois 2a00:1450:4010:c08::69
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf
    
    % Note: this output has been filtered.
    %       To receive output for a database update, use the "-B" flag.
    
    % Information related to '2a00:1450:4000::/37'
    
    % Abuse contact for '2a00:1450:4000::/37' is 'ripe-contact@google.com'
    
    inet6num:       2a00:1450:4000::/37
    netname:        IE-GOOGLE-2a00-1450-4000-1
    descr:          EU metro frontend
    country:        ie
    admin-c:        GOOG1-RIPE
    tech-c:         GOOG1-RIPE
    status:         AGGREGATED-BY-LIR
    assignment-size:48
    mnt-by:         MNT-GOOG-PROD
    created:        2016-03-09T19:03:51Z
    last-modified:  2016-03-09T19:03:51Z
    source:         RIPE
    
    role:           Google Ireland Limited
    address:        Google Ireland Limited
                    BARROW STREET  1ST & 2ND FLOOR
                    4  DUBLIN IRELAND
    admin-c:        GOOG-RIPE
    admin-c:        JWS7-RIPE
    tech-c:         GOOG-RIPE
    nic-hdl:        GOOG1-RIPE
    mnt-by:         MNT-GOOG-PROD
    created:        2009-10-02T20:37:42Z
    last-modified:  2009-10-02T21:42:03Z
    source:         RIPE # Filtered
    
    % This query was served by the RIPE Database Query Service version 1.88.1 (WAGYU)
    


     
    Last edited: May 8, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    47,535
    10,787
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,772
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Interesting but it isn't the same cause as before right ? As i fixed that but i see the Unknown CA in there
     
  3. Matt

    Matt Well-Known Member

    882
    398
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +630
    Local Time:
    9:08 PM
    1.5.15
    MariaDB 10.2
    Correct, last time it was failing on IPv4 also, because of the below entry.

    Code:
    openssl.cafile = '/etc/ssl/certs/cacert.pem'
    I'm going to switch PHP out to OpenSSL and see if it's an issue with LibreSSL

    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /opt/libressl/etc/ssl/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /opt/libressl/etc/ssl/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /opt/libressl/etc/ssl/private
        [default_default_cert_area] => /opt/libressl/etc/ssl
        [ini_cafile] => 
        [ini_capath] => 
    )
    
     
  4. Matt

    Matt Well-Known Member

    882
    398
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +630
    Local Time:
    9:08 PM
    1.5.15
    MariaDB 10.2
    This is an issue with LibreSSL.

    Removed the PHP_CUSTOMSSL switch from custom_config.inc
    Code:
    PHP_CUSTOMSSL='y'
    
    upload_2017-5-8_9-1-18.png

    Works fine now.

    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /etc/pki/tls/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /etc/pki/tls/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /etc/pki/tls/private
        [default_default_cert_area] => /etc/pki/tls
        [ini_cafile] =>
        [ini_capath] =>
    )
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    47,535
    10,787
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,772
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Ah PHP_CUSTOMSSL never was completed on my end it's something planned for later hence disabled by default :)

    Though it also highlights something may/may not be related when i was testing

    -CAfile /etc/ssl/certs/cacert.pem
    Code (Text):
    echo -n | openssl s_client -verify on -CAfile /etc/ssl/certs/cacert.pem -connect www.gmail.com:443                    
    verify depth is 0
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    140103723476896:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3170 bytes and written 7 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1494230867
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    


    versus -CAfile /etc/pki/tls/cert.pem

    Code (Text):
    echo -n | openssl s_client -verify on -CAfile /etc/pki/tls/cert.pem -connect www.gmail.com:443              
    verify depth is 0
    CONNECTED(00000003)
    depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    verify return:1
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mail.google.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority G2
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...C
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3747 bytes and written 373 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 4A7677195D2744E8D349FD7CCBB2781996E7697A00DDC2BD85027B0195EAECB8
        Session-ID-ctx:
        Master-Key: 3AB912C33C292F72B488E7C71800CA134F891B89D1597373E1B8C94561024C99E5EB4E9A58C5123312357C7917B8CB89
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 54 28 fe 31 a9 40 21 0d-d0 06 27 cf ef 54 da 97   T(.1.@!...'..T..
        0010 - 5b e0 0c a4 61 10 5b e9-e9 17 04 1b a6 e4 f4 e1   [...a.[.........
        0020 - 8e af 0f b5 5d b7 76 a1-9c a3 e1 0d 8b 34 30 8a   ....].v......40.
        0030 - e1 6c c1 98 37 8f 05 b7-eb da 86 6e e1 c1 af 07   .l..7......n....
        0040 - c4 a6 31 c9 b5 82 ff 59-35 af e9 03 f1 6e 46 87   ..1....Y5....nF.
        0050 - c6 90 9c d3 46 e7 16 b4-69 31 8a 09 72 5a b3 28   ....F...i1..rZ.(
        0060 - b3 ee 50 bf ce a5 62 44-1d b5 da 24 06 ba 93 e3   ..P...bD...$....
        0070 - 1a 5a f1 99 79 f1 ca 87-dc 8a 39 29 e1 d7 99 69   .Z..y.....9)...i
        0080 - 7c 54 70 fe b4 98 cf b7-c1 64 45 79 34 95 01 e7   |Tp......dEy4...
        0090 - fa b3 90 b8 4e 76 0f d1-d1 f7 67 6b 73 c4 5a d5   ....Nv....gks.Z.
        00a0 - 43 c3 ff a8                                       C...
    
        Start Time: 1494230827
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    
     
  6. Matt

    Matt Well-Known Member

    882
    398
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +630
    Local Time:
    9:08 PM
    1.5.15
    MariaDB 10.2
    I've removed all the PHP_CUSTOMSSL switches on my servers, and I'll go through all the other ones I've built where I might have used this, and remove them from there as well.
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,535
    10,787
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,772
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yeah PHP_CUSTOMSSL isn't ready for prime time yet - end goal though is for it to be able to compile PHP with custom OpenSSL version that matches what Nginx users.