Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate not trusted #923

Closed
corbinu opened this issue Feb 23, 2015 · 10 comments
Closed

Certificate not trusted #923

corbinu opened this issue Feb 23, 2015 · 10 comments
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@corbinu
Copy link

corbinu commented Feb 23, 2015

Hello,

I am having an issue where iojs returns a 'Certificate not trusted error' This does not return in node 0.12. I am trying to figure out if this is something wrong with the cert or something wrong iojs

Thanks for any help you can give.

The request is to address.melissadata.net

Here is the output from openssl verifying the cert

openssl s_client -CApath /etc/ssl/certs/  -connect address.melissadata.net:443 | openssl x509 -text
depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com
verify return:1
depth=2 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
verify return:1
depth=0 O = *.melissadata.net, OU = Domain Control Validated, CN = *.melissadata.net
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1165748711591655 (0x4243e05da0ee7)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority/serialNumber=10688435
        Validity
            Not Before: Dec  1 16:04:11 2011 GMT
            Not After : Sep 29 18:08:43 2015 GMT
        Subject: O=*.melissadata.net, OU=Domain Control Validated, CN=*.melissadata.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c0:7d:75:76:55:80:75:b1:c8:6d:f4:32:6a:b4:
                    17:bc:67:11:ad:6c:82:b5:fb:3c:c5:17:6b:06:1b:
                    1d:fb:56:76:22:c5:3a:96:c7:e5:38:ab:b6:cb:fc:
                    f5:29:f1:94:c2:4e:8a:f1:d0:9d:70:f2:dc:f6:08:
                    64:33:0c:9c:5e:2c:a9:b2:f4:70:69:08:72:1c:60:
                    e7:7a:1d:a6:83:91:c5:4d:ae:2c:50:36:ca:50:56:
                    7f:c0:3e:6b:f2:10:fc:87:63:4b:7c:e2:ca:44:4a:
                    75:76:7e:ba:77:e5:35:34:8b:66:14:eb:e3:6d:ab:
                    90:fa:78:4f:dd:94:00:2d:52:69:ac:0a:20:31:c2:
                    28:15:18:ce:83:c3:64:aa:af:db:13:73:83:81:b5:
                    aa:4c:85:73:d2:8e:24:b7:ab:3b:6c:38:14:7f:eb:
                    06:70:64:45:21:d9:53:38:64:cc:a6:c6:5b:da:9c:
                    8e:12:0a:c4:07:ba:6e:b0:74:b4:6c:3e:18:5e:38:
                    3e:29:34:18:08:b8:76:c8:b0:98:be:8a:fa:ea:09:
                    bd:09:37:b6:72:08:4d:19:52:e8:d2:63:74:d0:97:
                    5e:24:61:ef:1f:59:c4:ef:5a:f4:8d:0d:dc:8f:3d:
                    23:ec:3c:e6:89:e0:5a:c4:ac:88:e7:f4:7c:fe:25:
                    a4:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.starfieldtech.com/sfs1-21.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114414.1.7.23.1
                  CPS: http://certificates.starfieldtech.com/repository/

            Authority Information Access:
                OCSP - URI:http://ocsp.starfieldtech.com/
                CA Issuers - URI:http://certificates.starfieldtech.com/repository/sf_intermediate.crt

            X509v3 Authority Key Identifier:
                keyid:49:4B:52:27:D1:1B:BC:F2:A1:21:6A:62:7B:51:42:7A:8A:D7:D5:56

            X509v3 Subject Alternative Name:
                DNS:*.melissadata.net, DNS:melissadata.net
            X509v3 Subject Key Identifier:
                5C:75:00:02:B7:F6:23:67:2A:8B:1D:09:12:28:F9:72:12:E3:A2:2D
    Signature Algorithm: sha1WithRSAEncryption
         83:b2:df:87:ee:eb:db:30:9d:be:d6:4f:b7:cb:80:c5:e5:d7:
         58:c0:01:9c:7b:6f:1c:f8:56:8d:73:72:4e:90:1d:b8:27:80:
         c3:be:b7:c9:ba:35:55:8c:02:32:4b:1c:dd:83:a2:bf:44:5f:
         0c:73:3f:d3:34:9d:68:20:4d:82:22:98:b5:3c:60:e6:63:0d:
         26:ce:cc:df:6b:93:0d:2c:ba:50:88:d2:10:25:07:a8:44:4b:
         d2:01:0a:3f:76:6d:dc:2b:c1:14:27:a0:6e:6a:f6:cb:c2:96:
         3c:63:7d:c8:7c:53:56:51:ba:16:44:90:63:be:0d:f7:e8:7c:
         8a:0d:81:21:10:04:db:d8:0c:e6:2d:c3:5f:8f:3d:f1:97:ba:
         2b:e0:7e:7c:30:b6:32:c7:96:6e:9c:24:d0:f6:6f:47:97:f2:
         1b:30:4e:1d:9d:e8:b6:c9:e7:56:90:37:94:cd:01:a3:31:b1:
         26:cf:90:8c:15:0f:ad:d3:00:d6:a4:cb:39:e0:4d:af:e9:32:
         59:f4:4a:cf:ca:9d:c0:d7:c2:73:3f:a7:98:93:1e:d5:99:42:
         5e:83:5e:b1:b3:56:ce:1a:b1:e6:3c:45:65:bb:e1:2f:06:5e:
         e7:b1:e6:b0:11:bd:ab:d6:eb:13:3b:f1:a2:c8:0f:5f:10:08:
         04:07:e0:7e
-----BEGIN CERTIFICATE-----
MIIFlDCCBHygAwIBAgIHBCQ+BdoO5zANBgkqhkiG9w0BAQUFADCB3DELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAj
BgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOTA3BgNVBAsTMGh0
dHA6Ly9jZXJ0aWZpY2F0ZXMuc3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeTEx
MC8GA1UEAxMoU3RhcmZpZWxkIFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTERMA8GA1UEBRMIMTA2ODg0MzUwHhcNMTExMjAxMTYwNDExWhcNMTUwOTI5MTgw
ODQzWjBbMRowGAYDVQQKFBEqLm1lbGlzc2FkYXRhLm5ldDEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRowGAYDVQQDFBEqLm1lbGlzc2FkYXRhLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMB9dXZVgHWxyG30Mmq0
F7xnEa1sgrX7PMUXawYbHftWdiLFOpbH5Tirtsv89SnxlMJOivHQnXDy3PYIZDMM
nF4sqbL0cGkIchxg53odpoORxU2uLFA2ylBWf8A+a/IQ/IdjS3ziykRKdXZ+unfl
NTSLZhTr422rkPp4T92UAC1SaawKIDHCKBUYzoPDZKqv2xNzg4G1qkyFc9KOJLer
O2w4FH/rBnBkRSHZUzhkzKbGW9qcjhIKxAe6brB0tGw+GF44Pik0GAi4dsiwmL6K
+uoJvQk3tnIITRlS6NJjdNCXXiRh7x9ZxO9a9I0N3I89I+w85ongWsSsiOf0fP4l
pNECAwEAAaOCAdkwggHVMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA5BgNVHR8EMjAwMC6gLKAq
hihodHRwOi8vY3JsLnN0YXJmaWVsZHRlY2guY29tL3NmczEtMjEuY3JsMFkGA1Ud
IARSMFAwTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0cDovL2NlcnRp
ZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzCBjQYIKwYBBQUH
AQEEgYAwfjAqBggrBgEFBQcwAYYeaHR0cDovL29jc3Auc3RhcmZpZWxkdGVjaC5j
b20vMFAGCCsGAQUFBzAChkRodHRwOi8vY2VydGlmaWNhdGVzLnN0YXJmaWVsZHRl
Y2guY29tL3JlcG9zaXRvcnkvc2ZfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAW
gBRJS1In0Ru88qEhamJ7UUJ6itfVVjAtBgNVHREEJjAkghEqLm1lbGlzc2FkYXRh
Lm5ldIIPbWVsaXNzYWRhdGEubmV0MB0GA1UdDgQWBBRcdQACt/YjZyqLHQkSKPly
EuOiLTANBgkqhkiG9w0BAQUFAAOCAQEAg7Lfh+7r2zCdvtZPt8uAxeXXWMABnHtv
HPhWjXNyTpAduCeAw763ybo1VYwCMksc3YOiv0RfDHM/0zSdaCBNgiKYtTxg5mMN
Js7M32uTDSy6UIjSECUHqERL0gEKP3Zt3CvBFCegbmr2y8KWPGN9yHxTVlG6FkSQ
Y74N9+h8ig2BIRAE29gM5i3DX4898Ze6K+B+fDC2MseWbpwk0PZvR5fyGzBOHZ3o
tsnnVpA3lM0BozGxJs+QjBUPrdMA1qTLOeBNr+kyWfRKz8qdwNfCcz+nmJMe1ZlC
XoNesbNWzhqx5jxFZbvhLwZe57HmsBG9q9brEzvxosgPXxAIBAfgfg==
-----END CERTIFICATE-----
@shigeki
Copy link
Contributor

shigeki commented Feb 23, 2015

This is an another case of #402 . The ValiCert Class 2 of 1024bit RSA was removed but iojs refers it due to a cross root cert on this site. The patch of openssl are not still applied yet. Do we restore https://github.com/joyent/node/blob/v0.12/src/node_root_certs.h#L227-L243 ?

CC: @bnoordhuis @indutny

@shigeki shigeki added the tls Issues and PRs related to the tls subsystem. label Feb 23, 2015
@shigeki shigeki self-assigned this Feb 26, 2015
@shigeki
Copy link
Contributor

shigeki commented Feb 26, 2015

A good news is that a patch to fix has just been landed in the upstream master. http://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest . I will try to backport it to 1.0.2 and tests if the issue is resolved.

@corbinu
Copy link
Author

corbinu commented Feb 26, 2015

Thanks much!

@shigeki
Copy link
Contributor

shigeki commented Feb 26, 2015

Confirmed that the issue was resolved with 4ffbc5bebfbcfaf7e15efb957f9f00bfe237b924 and 0aa79f6e7be1021176253b0e65b43b6e6bc4e69c in https://github.com/shigeki/io.js/tree/GH-923 .

$ cat ~/tmp/tls_alt_cert_chains/tls_alt_cert_chain_check.js
// check alt cert chain patch works well by testing to
//  tls server which has a cross root cert.
var tls = require('tls');
var client = tls.connect(443, 'address.melissadata.net', function() {
  console.log('TLS connected');
  client.destroy();
});
client.on('error', function(err) {
  console.log(err);
});
$ ./iojs ~/tmp/tls_alt_cert_chains/tls_alt_cert_chain_check.js
TLS connected

@indutny @bnoordhuis Can we take these patch to openssl-1.0.2 . My upgrading work is almost finished and only writing a doc is remained.

@indutny
Copy link
Member

indutny commented Feb 27, 2015

@shigeki hell yes! Let's do it!

@marcus433 marcus433 mentioned this issue Mar 1, 2015
Closed
@corbinu
Copy link
Author

corbinu commented Mar 12, 2015

Just wondering the status on this? are we just waiting on openssl to merge?

@shigeki
Copy link
Contributor

shigeki commented Mar 13, 2015

@corbinu Sorry for waiting. I'm working on it but it's not finished yet. I will submit a PR to add ValiCert Class 2 today.

shigeki pushed a commit to shigeki/node that referenced this issue Mar 13, 2015
crypto: add deprecated ValiCert CA for cross cert
414adfa 
The host of melissadata.net has a cross root certification between
Starfield Class 2 and ValiCert Class 2. OpenSSL-1.0.1 only looks up
a cert chain to the deprecated ValiCert Class 2 CA and causes
untrusted error. We add it for a short-term remedy and it is to be
removed after upgrading OpenSSSL-1.0.2 and applying private patches
to support alternative cert chains.
See nodejs#402 and nodejs#589.

Fixes: nodejs#923
@shigeki shigeki mentioned this issue Mar 13, 2015
Closed
@corbinu
Copy link
Author

corbinu commented Mar 13, 2015

Thanks very much for your time on this!

shigeki pushed a commit that referenced this issue Mar 13, 2015
crypto: add deprecated ValiCert CA for cross cert
d8c4a93 
The host of melissadata.net has a cross root certification between
Starfield Class 2 and ValiCert Class 2. OpenSSL-1.0.1 only looks up
a cert chain to the deprecated ValiCert Class 2 CA and causes
untrusted error. We add it for a short-term remedy and it is to be
removed after upgrading OpenSSSL-1.0.2 and applying private patches
to support alternative cert chains.
See #402 and #589.

Fixes: #923
PR-URL: #1135
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
Copy link
Contributor

shigeki commented Mar 13, 2015

@corbinu Thank you for your patience. The fix has just been landed in d8c4a93. I'd like you to confirm that the issue is really resolved.

@corbinu
Copy link
Author

corbinu commented Mar 13, 2015

@shigeki Thanks so much work like a charm

@corbinu corbinu closed this as completed Mar 13, 2015
@shigeki shigeki mentioned this issue Dec 16, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@indutny @corbinu @shigeki