Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong certificate store used? #15

Closed
GoogleCodeExporter opened this issue Feb 11, 2016 · 4 comments
Closed

Wrong certificate store used? #15

GoogleCodeExporter opened this issue Feb 11, 2016 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Trying "python sslyze.py --regular www.cacert.org:443" on my OSX machine with 
CAcert in the OS trust store, I get:

      Validation w/ Mozilla's CA Store:  Certificate is Trusted             

which is invalid, as CAcert is not in the Mozilla CA store.

Original issue reported on code.google.com by ja...@kirei.se on 27 Mar 2012 at 8:55
@GoogleCodeExporter
Copy link
Author 

Weird... I get "Certificate is NOT Trusted" on Ubuntu and Windows.
Are you using the Mac's default OpenSSL library or did you build your own ?

I know that Apple has changed the OpenSSL library that comes with Mac OS X to 
automatically use Apple's trust store whenever an SSL connection is made (!!). 
However it doesn't seem like CACert is part of that trust store anyway 
(http://wiki.cacert.org/InclusionStatus). I'll investigate; thanks for the 
feedback.

Original comment by nabla.c...@gmail.com on 28 Mar 2012 at 5:21

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author 

I'm using the default Python, so I guess that will be the Apple OpenSSL library.

If you want to validate with the Mozilla CA store only, you probably need to 
explicitly disable built in trust anchors. It would be quite useful if sslyze 
could report trust with the default OS CA store and Mozilla independently.

Original comment by ja...@kirei.se on 28 Mar 2012 at 7:00

@GoogleCodeExporter
Copy link
Author 

Yeah default trust stores should definitely be disabled as the current result 
is misleading and wrong. That's something I'll fix.

Validating the server cert against the OS store seems a bit annoying to 
implement. The location of the OS's CA store will be quite specific to the OS 
(and it also changes between Linux distros I think). Writing specific cases for 
each platform and OS would be too much work and I don't think it's a feature 
that lots of users will want to have ?

Original comment by nabla.c...@gmail.com on 29 Mar 2012 at 2:16

@GoogleCodeExporter
Copy link
Author 

Turns out there's not much I can do. Apple patched/hacked the OpenSSL lib that 
ships with Snow Leopard. They changed X509_verify_cert() to automatically fall 
back to the OS trust store if the cert verification failed. This is an issue of 
Snow Leopard, and it would not be trivial to "fix" it within SSLyze. 

Relevant links:
http://bugs.ruby-lang.org/issues/3150
http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/
x509_vfy_apple.h

Original comment by nabla.c...@gmail.com on 7 Apr 2012 at 11:58

  • Changed state: WontFix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter