Reputation: 46800
Why does my SSL code fail only against MY webserver?
I have a webserver, that I run a small side business on (www.trailmyx.com). Recently I began developing some basic SSL socket code (in C++) and I wrote a small test program that connects with OpenSSl and does an http GET. I can use my client successfully against www.google.com on port 443 (or any other site) except my own.
When I attempt to SSL_get_verify_result(ssl) against my own server, I get back: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT.
Now, when I go to my web site in a browser (https://www.trailmyx.com) I can examine the cert and everything looks OK... It doesn't show up as self signed.
Similarly, when I use wget against my server I get the same self signed certificate error.
My gut feeling is that somehow my site is misconfigured, but if so, how can the browsers do it? Is their some other sequence of OpenSSL calls the browsers know to make?
Note: When wget against my server returns, it prints some information from the certificate. None of that information is valid (for example: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit) I strongly suspect that for some reason, under certain circumstance apache is returning a self signed cert... but why? And how are the browsers doing it? BTW- CURL works just fine.
Upvotes: 0
Views: 590
Answers (2)
Reputation: 855
I've tried openssl s_client -connect www.trailmyx.com:443 -showcerts and it indeed shows your certificate as self-signed:
Server certificate
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-97-74-119-124.ip.secureserver.net/[email protected]
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-97-74-119-124.ip.secureserver.net/[email protected]
Maybe your server is using Server Name Indication (SNI) to allow name-based virtual hosts in combination in SSL?
Update: My hunch was right: you need to use SNI and TLS in order for it to work. This command shows the expected certificate:
openssl s_client -connect www.trailmyx.com:443 -servername www.trailmyx.com -tls1
Upvotes: 5
Reputation: 54272
According to the documentation:
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.
Which sounds to me like it could mean that it doesn't trust your CA. It's strange though since GoDaddy is old and trusted by just about everyone.
You could try running it against a different list of CA's with the -CAFile option.
EDIT: It's also possible you're missing an intermediate certificate. See this question. Basically if you have:
- A trusts B
- B trusts you
And you have A's certificate and your certificate, then you still need B's certificate for verification to work.
Upvotes: 0
Related Questions
- Client and Server communication using C/C++, SSL protocol doesn't work
- OpenSSL ssl_accept() error 5
- making HTTPS request using cpp-httplib
- Can't connect to host using OpenSSL in C++
- Server using SSL returns "no certificate returned"
- SSL_connect() produces certificate verify failure
- Why does my server always respond "No certificates"?
- openssl error SSL_ERROR_SSL in c++ application
- SSL Certificate verification fails: Using OpenSSL
- SSL_accept() throws "Invalid argument" error