SqueakSSLCertificateError in some Linux distributions (Red Hat)

[nmingotti]

Hi,
I am using Squeak 5.2 updated to 18232.

when i run this:
g := 'https://www.google.com' asUrl retrieveContents .

In macOS 10.14.6. it works.

In Linux Debian 9.9 it Works.

In linux Red Hat Enterprise Linux Server release 7.6 (Maipo) gives this error:
SqueakSSLCertificateError : Host name mismatch (code: -1)

In FreeBSD 12, using Linux emulation (Centos 7) gives this error:
SqueakSSLCertificateError : Invalid certificate (code 1)

Any idea why ?

Temporarily, to force the connection to get the data I do:
in WebSocket >> sslConnect , comment this block

self canVerify
	ifTrue: [stream verifyCert: self serverName].

tested only in FreeBSD 12, Linux compatibility layer.

[krono]

Can you please change SqueakSSL>>#initialize to the following?

initialize
	"Initialize the receiver"

	handle := self primitiveSSLCreate.
	self logLevel: 1.

You should then get information on stdout or stderr, which would be helpful.

Also, what is the result of SqueakSSL new pluginVersion?

[nmingotti]

Hi,

==== FreeBSD 12 , linux Emulation ===============

SqueakSSL new pluginVersion. " 3"

sqSetStringPropertySSL(2): www.google.com
sqConnectSSL: 0x8007f6dc0
sqConnectSSL: Setting up SSL
sqSetupSSL: setting method
sqSetupSSL: Creating context
sqSetupSSL: Disabling SSLv2 and SSLv3
sqSetupSSL: setting cipher list
sqSetupSSL: No root CA given; using default verify paths
sqSetupSSL: Creating SSL
sqSetupSSL: setting bios
sqConnectSSL: Setting connect state
sqConnectSSL: BIO_write 0 bytes
sqSetupSSL: Using server name www.google.com
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 320 bytes pending; buffer size 4096
sqConnectSSL: 0x8007f6dc0
sqConnectSSL: BIO_write 2344 bytes
sqSetupSSL: Using server name www.google.com
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 126 bytes pending; buffer size 4096
sqConnectSSL: 0x8007f6dc0
sqConnectSSL: BIO_write 279 bytes
sqSetupSSL: Using server name www.google.com
sqConnectSSL: SSL_connect
sqConnectSSL: SSL_get_peer_certificate
sqConnectSSL: cert = 0x80080fdb0
sqConnectSSL: X509_check_host.sqConnectSSL: check hostname OK
sqConnectSSL: SSL_get_verify_result = 20

===== in Red Hat ============

SqueakSSL new pluginVersion. " 3"

Here there is a proxy, accessing non https works

HTTPSocket useProxyServerNamed: 'psproxy' port: 3128.
g := 'http://euriscom.it' asUrl retrieveContents. 

Accessin google (https) instead give this.

sqSetStringPropertySSL(2): psproxy
sqConnectSSL: 0x7f240da6e460
sqConnectSSL: Setting up SSL
sqSetupSSL: setting method
sqSetupSSL: Creating context
sqSetupSSL: Disabling SSLv2 and SSLv3
sqSetupSSL: setting cipher list
sqSetupSSL: No root CA given; using default verify paths
sqSetupSSL: Creating SSL
sqSetupSSL: setting bios
sqConnectSSL: Setting connect state
sqConnectSSL: BIO_write 0 bytes
sqSetupSSL: Using server name psproxy
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 313 bytes pending; buffer size 4096
sqConnectSSL: 0x7f240da6e460
sqConnectSSL: BIO_write 2715 bytes
sqSetupSSL: Using server name psproxy
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 126 bytes pending; buffer size 4096
sqConnectSSL: 0x7f240da6e460
sqConnectSSL: BIO_write 279 bytes
sqSetupSSL: Using server name psproxy
sqConnectSSL: SSL_connect
sqConnectSSL: SSL_get_peer_certificate
sqConnectSSL: cert = 0x7f240da67dd0
sqConnectSSL: X509_check_host.sqConnectSSL: check hostname NOT OK
sqConnectSSL: SSL_get_verify_result = 0

[nmingotti]

closed by mistake, sorry

[krono]

what is the openssl version for each installation?

freebsd

Also, the first seems to translate to this: (see https://www.openssl.org/docs/man1.0.2/man1/verify.html)

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

Are you sure all root certificates are properly initialized?
What does openssl s_client -connect www.google.com:443 give?

RedHat

• After you set the proxy, what does WebUtils defaultProxyServer give?
• Can you please try WebClient httpGet: 'https://google.com'?
• Is the proxy-server HTTPS-aware in the first place?

You can set WebClient debugLog: Transcript to trace what WebClient is doing while connecting.

I somehow suspect that the proxy-server is "mingling" with the server name…

[krono]

Correction.
For RedHat, we see:

sqSetStringPropertySSL(2): psproxy

So, we are comparing the sever-name from google against the psproxy.

Can you please change the Method WebClient>>#sslConnect line

	self sslConnect: stream to: lastServer.

to

	self sslConnect: stream to: self serverName.

and see if it helps?

[nmingotti]

Openssl versions.
FreeBSD: OpenSSL 1.1.1a-freebsd 20 Nov 2018
RedHat: OpenSSL 1.0.2k-fips 26 Jan 2017

openssl s_client -connect www.google.com:443
This works in FreeBSD. It gets stuck in Red Hat. But I guess it is not using the proxy, If I open a Firefox (VNC) running into the RedHat the connection to https sites like google and github works flawlessly.

RedHat:
WebUtils defaultProxyServer. "=> 'psproxy:3128'"

Red Hat. this give the same error as before. Nothig interest setting 'debugLog'
WebClient httpGet: 'https://google.com'

Red Hat. With this correction it all works
self sslConnect: stream to: self serverName.

Ok! there remains only the FreeBSD/Linux-emulation, which is a very rare platform.

[krono]

freebsd.

Ok I locally did openssl s_client -connect www.google.com:443
Can you plese give the first ~20 lines of output?
Also, please give the output of openssl version -d.
I suspect that the Google Trusted Cert is not in your cert store…

RedHat.

Ok so we need to change that.

[krono]

Also: please give

ls -al $(openssl version -d | cut -d\" -f2)/cert*

[nmingotti]

ok, thank you for your help !

I run the commands under /compat/linux/bin/bash, so they start in the same way sqeak.sh is started.
$> uname -a

Linux fbs-slacmac 2.6.32 FreeBSD 12.0-RELEASE r341666 GENERIC x86_64 x86_64 x86_64 GNU/Linux

$> openssl s_client -connect www.google.com:443 | cat -n

verify return:1                                                                                                    
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3                                       
verify return:1                                                                                                    
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com                            
verify return:1                                                                                                    
     1  CONNECTED(00000003)                                                                                        
     2  ---                                                                                                        
     3  Certificate chain                                                                                          
     4   0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com                       
     5     i:C = US, O = Google Trust Services, CN = Google Internet Authority G3                                  
     6   1 s:C = US, O = Google Trust Services, CN = Google Internet Authority G3                                  
     7     i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign                                         
     8  ---                                                                                                        
     9  Server certificate                                                                                         
    10  -----BEGIN CERTIFICATE-----                                                                                
    11  MIIDzzCCAregAwIBAgIQTAKF/mTTiunPDZ51KWg/EzANBgkqhkiG9w0BAQsFADBU                                           
    12  MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw                                           
    13  IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDcyOTE4                                           
    14  NDMyMloXDTE5MTAyMTE4MjMwMFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh                                           
    15  bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds                                           
    16  ZSBMTEMxFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZI                                           
    17  zj0DAQcDQgAELPYz+3+RbnpY3vzgq9yIVbLMDs0a4dZvPff4Q2qWkjqjscxL9bqx                                           
    18  IfmqvVAeyZdFKKN4u5Dlq/7mWLQfvEtcU6OCAVIwggFOMBMGA1UdJQQMMAoGCCsG                                           
    19  AQUFBwMBMA4GA1UdDwEB/wQEAwIHgDAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNv                                           
    20  bTBoBggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9n      
... 

$> /usr/bin/openssl version -d

OPENSSLDIR: "/etc/ssl"

$> ls -al $(openssl version -d | cut -d\" -f2)/cert*

lrwxrwxrwx 1 root wheel 16 Aug 17 10:58 /etc/ssl/certs -> ../pki/tls/certs

$> ls -la /etc/ssl/certs/

total 8K
drwxr-xr-x 2 root wheel 512 Aug 17 10:58 .
drwxr-xr-x 5 root wheel 512 Aug 17 10:58 ..
lrwxrwxrwx 1 root wheel  49 Aug 17 10:58 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root wheel  55 Aug 17 10:58 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

[krono]

That looks reasonable.

I have a suspicion that different versions of libssl might be available on the system.

Can you try a debug-vm? That should give you all the load paths.

PS: Have you tried on FreeBSD without LinuxEmulation?

[nmingotti]

Well, I am just a beginner in Squeak ;)

I don't know how to run a debug-vm.

Unfortunately the package/port of Squeak for FreeBSD is quite old, release 4.1. So, when I started, a month ago, I decided a recent Linux version was preferable.

$> pkg search squeak
squeak-4.10.2_6                Full Smalltalk 80 with portability to Unix, Mac, and Windows

I can try to make a new package for FreeBSD, but i prefer to spend the time available at working with the language before.

Anyhow, I have run a syscall trace grepped on open. I see many files are not found. I am not expert on this. Can you say wich of the missing files are fundamental ? Maybe /etc/pki/tls/cert.pem ?

 $> truss -f squeak 2>&1  | grep open | cat -n | tee squeak-truss.txt

   747	30679: linux_open("/etc/hosts",0x80000,0666)	 = 9 (0x9)
   748	30679: linux_open("/usr/local/share/squeak/Squeak5.2-18229-64bit-201810190412-Linux/bin/SqueakSSL.so",0x80000,046130520) = 10 (0xa)
   749	30679: linux_open("/usr/lib/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   750	30679: linux_open("/usr/lib64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   751	30679: linux_open("/usr/local/lib/tls/x86_64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   752	30679: linux_open("/usr/local/lib/tls/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   753	30679: linux_open("/usr/local/lib/x86_64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   754	30679: linux_open("/usr/local/lib/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   755	30679: linux_open("/etc/ld.so.cache",0x80000,01) = 10 (0xa)
   756	30679: linux_open("/lib64/tls/x86_64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   757	30679: linux_open("/lib64/tls/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   758	30679: linux_open("/lib64/x86_64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   759	30679: linux_open("/lib64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   760	30679: linux_open("/usr/lib64/libssl.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   761	30679: linux_open("/usr/lib/libssl.so",0x80000,042521700) = 10 (0xa)
   762	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   763	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   764	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   765	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   766	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   767	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9500,0x90800,0x0) = 10 (0xa)
   768	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   769	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   770	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   771	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   772	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9540,0x90800,0x0) = 10 (0xa)
   773	30679: linux_open("/usr/lib/libssl.so.10",0x80000,042521700) = 10 (0xa)
   774	30679: linux_open("/usr/lib64/libssl.so.10",0x80000,042521700) = 10 (0xa)
   775	30679: linux_open("/usr/lib/libgssapi_krb5.so.2",0x80000,042531020) = 10 (0xa)
   776	30679: linux_open("/usr/lib64/libgssapi_krb5.so.2",0x80000,042531020) = 10 (0xa)
   777	30679: linux_open("/usr/lib/libkrb5.so.3",0x80000,042531020) = 10 (0xa)
   778	30679: linux_open("/usr/lib64/libkrb5.so.3",0x80000,042531020) = 10 (0xa)
   779	30679: linux_open("/usr/lib/libcom_err.so.2",0x80000,042531020) = 10 (0xa)
   780	30679: linux_open("/usr/lib64/libcom_err.so.2",0x80000,042531020) = 10 (0xa)
   781	30679: linux_open("/usr/lib/libk5crypto.so.3",0x80000,042531020) = 10 (0xa)
   782	30679: linux_open("/usr/lib64/libk5crypto.so.3",0x80000,042531020) = 10 (0xa)
   783	30679: linux_open("/usr/lib/libcrypto.so.10",0x80000,042531020) = 10 (0xa)
   784	30679: linux_open("/usr/lib64/libcrypto.so.10",0x80000,042531020) = 10 (0xa)
   785	30679: linux_open("/usr/lib/libz.so.1",0x80000,042531020) = 10 (0xa)
   786	30679: linux_open("/usr/lib64/libz.so.1",0x80000,042531020) = 10 (0xa)
   787	30679: linux_open("/usr/lib/libkrb5support.so.0",0x80000,042547440) = 10 (0xa)
   788	30679: linux_open("/usr/lib64/libkrb5support.so.0",0x80000,042547440) = 10 (0xa)
   789	30679: linux_open("/usr/lib/libkeyutils.so.1",0x80000,042547440) = 10 (0xa)
   790	30679: linux_open("/usr/lib64/libkeyutils.so.1",0x80000,042547440) = 10 (0xa)
   791	30679: linux_open("/usr/lib/libselinux.so.1",0x80000,042565400) = 10 (0xa)
   792	30679: linux_open("/usr/lib64/libselinux.so.1",0x80000,042565400) = 10 (0xa)
   793	30679: linux_open("/usr/lib/libpcre.so.1",0x80000,042572220) = 10 (0xa)
   794	30679: linux_open("/usr/lib64/libpcre.so.1",0x80000,042572220) = 10 (0xa)
   795	30679: linux_open("/proc/filesystems",0x0,0666)	 = 10 (0xa)
   796	30679: linux_open("/etc/pki/tls/legacy-settings",0x0,0666) ERR#-2 'No such file or directory'
   797	30679: linux_open("/usr/lib/libcrypto.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   798	30679: linux_open("/usr/lib64/libcrypto.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   799	30679: linux_open("/usr/local/lib/libcrypto.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   800	30679: linux_open("/etc/ld.so.cache",0x80000,01) = 10 (0xa)
   801	30679: linux_open("/lib64/libcrypto.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   802	30679: linux_open("/usr/lib64/libcrypto.so.1.0.0",0x80000,042521700) ERR#-2 'No such file or directory'
   803	30679: linux_open("/usr/lib/libcrypto.so",0x80000,042521700) = 10 (0xa)
   804	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   805	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   806	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   807	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   808	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   809	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc94e0,0x90800,0x0) = 10 (0xa)
   810	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   811	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   812	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   813	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   814	30679: linux_openat(0xffffffffffffff9c,0x7ffffffc9520,0x90800,0x0) = 10 (0xa)
   815	30679: linux_open("/dev/urandom",0x900,073727)	 = 10 (0xa)
   816	30679: linux_open("/etc/pki/tls/cert.pem",0x0,0666) ERR#-2 'No such file or directory'
   817	30679: linux_open("/usr/local/share/squeak/Squeak5.2-18229-64bit-201810190412-Linux/shared/SqueakDebug.log",0x2,037777777560) ERR#-2 'No such file or directory'
   818	30679: linux_open("/usr/local/share/squeak/Squeak5.2-18229-64bit-201810190412-Linux/shared/SqueakDebug.log",0xc2,0666) = 10 (0xa)

[nmingotti]

Ok, i think i solved it.

I tried to change a lot of stuff, but the final kick was this:
In line 816 we see there miss the file /etc/pki/tls/cert.pem, this from Linux-open syscall point of view. That file is not really missing, it is a link to another missing. I tried update-ca-certs as suggested from this page, nope, a lot of troubles.

So I copied the FreeBSD version of the same file there.
#> cp /etc/ssl/cert.pem /compat/linux/etc/pki/tls/

Restart Squek, now https works , yeah !

[krono]

Thats great to hear!

Actually, that's why I asked for openssl version -d, which should be the respective directory...

I will see that the RedHat-thing is being fixed.

[nmingotti]

thank you for help krono!
It was important for me to have this fixed.

bye
nicola

[krono]

Welcome!