Discover Centmin Mod today
Register Now

[Solved] LibreSSL unknown CA issue with Google IPv6

Discussion in 'Bug Reports' started by Matt, May 8, 2017.

  1. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    10:19 AM
    1.7.1
    MariaDB 10
    Myself and @Amin Sabet have started getting this same error now, when the server tries to connect to Google via IPV6

    upload_2017-5-8_8-36-38.png

    Code:
    # whois 2a00:1450:4010:c08::69
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf
    
    % Note: this output has been filtered.
    %       To receive output for a database update, use the "-B" flag.
    
    % Information related to '2a00:1450:4000::/37'
    
    % Abuse contact for '2a00:1450:4000::/37' is 'ripe-contact@google.com'
    
    inet6num:       2a00:1450:4000::/37
    netname:        IE-GOOGLE-2a00-1450-4000-1
    descr:          EU metro frontend
    country:        ie
    admin-c:        GOOG1-RIPE
    tech-c:         GOOG1-RIPE
    status:         AGGREGATED-BY-LIR
    assignment-size:48
    mnt-by:         MNT-GOOG-PROD
    created:        2016-03-09T19:03:51Z
    last-modified:  2016-03-09T19:03:51Z
    source:         RIPE
    
    role:           Google Ireland Limited
    address:        Google Ireland Limited
                    BARROW STREET  1ST & 2ND FLOOR
                    4  DUBLIN IRELAND
    admin-c:        GOOG-RIPE
    admin-c:        JWS7-RIPE
    tech-c:         GOOG-RIPE
    nic-hdl:        GOOG1-RIPE
    mnt-by:         MNT-GOOG-PROD
    created:        2009-10-02T20:37:42Z
    last-modified:  2009-10-02T21:42:03Z
    source:         RIPE # Filtered
    
    % This query was served by the RIPE Database Query Service version 1.88.1 (WAGYU)
    
     
    Last edited: May 8, 2017
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    Interesting but it isn't the same cause as before right ? As i fixed that but i see the Unknown CA in there
     
  3. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    10:19 AM
    1.7.1
    MariaDB 10
    Correct, last time it was failing on IPv4 also, because of the below entry.

    Code:
    openssl.cafile = '/etc/ssl/certs/cacert.pem'
    I'm going to switch PHP out to OpenSSL and see if it's an issue with LibreSSL

    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /opt/libressl/etc/ssl/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /opt/libressl/etc/ssl/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /opt/libressl/etc/ssl/private
        [default_default_cert_area] => /opt/libressl/etc/ssl
        [ini_cafile] => 
        [ini_capath] => 
    )
    
     
  4. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    10:19 AM
    1.7.1
    MariaDB 10
    This is an issue with LibreSSL.

    Removed the PHP_CUSTOMSSL switch from custom_config.inc
    Code:
    PHP_CUSTOMSSL='y'
    
    upload_2017-5-8_9-1-18.png

    Works fine now.

    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /etc/pki/tls/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /etc/pki/tls/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /etc/pki/tls/private
        [default_default_cert_area] => /etc/pki/tls
        [ini_cafile] =>
        [ini_capath] =>
    )
    
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    Ah PHP_CUSTOMSSL never was completed on my end it's something planned for later hence disabled by default :)

    Though it also highlights something may/may not be related when i was testing

    -CAfile /etc/ssl/certs/cacert.pem
    Code (Text):
    echo -n | openssl s_client -verify on -CAfile /etc/ssl/certs/cacert.pem -connect www.gmail.com:443                    
    verify depth is 0
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    140103723476896:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1178:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3170 bytes and written 7 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1494230867
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    


    versus -CAfile /etc/pki/tls/cert.pem

    Code (Text):
    echo -n | openssl s_client -verify on -CAfile /etc/pki/tls/cert.pem -connect www.gmail.com:443              
    verify depth is 0
    CONNECTED(00000003)
    depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    verify return:1
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mail.google.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority G2
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...C
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3747 bytes and written 373 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 4A7677195D2744E8D349FD7CCBB2781996E7697A00DDC2BD85027B0195EAECB8
        Session-ID-ctx:
        Master-Key: 3AB912C33C292F72B488E7C71800CA134F891B89D1597373E1B8C94561024C99E5EB4E9A58C5123312357C7917B8CB89
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 54 28 fe 31 a9 40 21 0d-d0 06 27 cf ef 54 da 97   T(.1.@!...'..T..
        0010 - 5b e0 0c a4 61 10 5b e9-e9 17 04 1b a6 e4 f4 e1   [...a.[.........
        0020 - 8e af 0f b5 5d b7 76 a1-9c a3 e1 0d 8b 34 30 8a   ....].v......40.
        0030 - e1 6c c1 98 37 8f 05 b7-eb da 86 6e e1 c1 af 07   .l..7......n....
        0040 - c4 a6 31 c9 b5 82 ff 59-35 af e9 03 f1 6e 46 87   ..1....Y5....nF.
        0050 - c6 90 9c d3 46 e7 16 b4-69 31 8a 09 72 5a b3 28   ....F...i1..rZ.(
        0060 - b3 ee 50 bf ce a5 62 44-1d b5 da 24 06 ba 93 e3   ..P...bD...$....
        0070 - 1a 5a f1 99 79 f1 ca 87-dc 8a 39 29 e1 d7 99 69   .Z..y.....9)...i
        0080 - 7c 54 70 fe b4 98 cf b7-c1 64 45 79 34 95 01 e7   |Tp......dEy4...
        0090 - fa b3 90 b8 4e 76 0f d1-d1 f7 67 6b 73 c4 5a d5   ....Nv....gks.Z.
        00a0 - 43 c3 ff a8                                       C...
    
        Start Time: 1494230827
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    
     
    • Like Like x 1
  6. Matt

    Matt Moderator Staff Member

    680
    314
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +433
    Local Time:
    10:19 AM
    1.7.1
    MariaDB 10
    I've removed all the PHP_CUSTOMSSL switches on my servers, and I'll go through all the other ones I've built where I might have used this, and remove them from there as well.
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah PHP_CUSTOMSSL isn't ready for prime time yet - end goal though is for it to be able to compile PHP with custom OpenSSL version that matches what Nginx users.