New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SSL cert #20

Closed
snarfed opened this Issue Jan 4, 2014 · 3 comments

Comments

Projects
None yet
2 participants
@snarfed
Owner

snarfed commented Jan 4, 2014

evidently it's missing the intermediate chaining cert. thanks to @aaronpk for debugging!

repro and test:
openssl s_client -connect www.brid.gy:443
openssl s_client -connect brid-gy.appspot.com:443
test: https://www.ssllabs.com/ssltest/analyze.html?d=www.brid.gy&s=74.125.194.121

@snarfed

This comment has been minimized.

Show comment
Hide comment
@snarfed

snarfed Jan 4, 2014

Owner

i just remembered that brid.gy's SSL requires SNI. app engine supports both VIPs and SNI for SSL on custom domains, but VIPs are naturally more expensive, so i went with SNI. not sure that's the root cause here though, since s_client won't connect even with -servername:

$ openssl s_client -servername brid.gy -connect www.brid.gy:443 -showcerts
CONNECTED(00000003)
50139:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:

background: http://blog.chrismeller.com/testing-sni-certificates-with-openssl

Owner

snarfed commented Jan 4, 2014

i just remembered that brid.gy's SSL requires SNI. app engine supports both VIPs and SNI for SSL on custom domains, but VIPs are naturally more expensive, so i went with SNI. not sure that's the root cause here though, since s_client won't connect even with -servername:

$ openssl s_client -servername brid.gy -connect www.brid.gy:443 -showcerts
CONNECTED(00000003)
50139:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:

background: http://blog.chrismeller.com/testing-sni-certificates-with-openssl

@aaronpk

This comment has been minimized.

Show comment
Hide comment
@aaronpk

aaronpk Jan 4, 2014

Contributor

it works with -servername www.brid.gy

Contributor

aaronpk commented Jan 4, 2014

it works with -servername www.brid.gy

@snarfed

This comment has been minimized.

Show comment
Hide comment
@snarfed

snarfed Jan 4, 2014

Owner

yup. i'll probably just switch the source URLs to brid-gy.appspot.com.

Owner

snarfed commented Jan 4, 2014

yup. i'll probably just switch the source URLs to brid-gy.appspot.com.

@snarfed snarfed closed this in d515b09 Jan 4, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment