Lots of "unable to get local issuer certificate" warnings when pinging "https://" ressources. #16
Comments
|
Hi,
Thanks for the mail.
Just to be clear: this happens on OS X? Because I can add some #ifdefs here
and there then to resolve that issue.
regards
…On Sun, Mar 31, 2024 at 6:16 PM Wilhelm Loves Their Turtles < ***@***.***> wrote:
I'm getting a lot of "unable to get local issuer certificate" warnings
when pinging https resources:
$ ./httping https://someserver.foo.bar/
Auto enabling SSL due to https-URL
PING someserver.foo.bar:443 (/):
connected to 1.2.3.4:443 (194 bytes), seq=0 time=121,21 ms
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=1 time=120,12 ms
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=2 time=121,04 ms
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=3 time=110,75 ms
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=4 time=119,35 ms
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=5 time=120,77 ms
…
I did a trace and noted that httping opens openssl libraries fine but
never loads any cert file (like curl or wget do which are linked against
the very same set of openssl libraries) from the trust stores.
$ sudo opensnoop -ve -n httping
STRTIME UID PID COMM FD ERR PATH
2024 Mar 31 17:29:07 501 5076 httping 3 0 .
2024 Mar 31 17:29:07 501 5076 httping 3 0 ***@***.***/lib/libssl.3.dylib
2024 Mar 31 17:29:07 501 5076 httping 3 0 ***@***.***/lib/libcrypto.3.dylib
2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/fftw/latest/lib/libfftw3.3.dylib
2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/gettext/latest/lib/libintl.8.dylib
2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/libiconv/latest/lib/libiconv.2.dylib
2024 Mar 31 17:29:07 501 5076 httping 3 0 /dev/dtracehelper
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/UTF-8/LC_COLLATE
2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/share/locale/UTF-8/LC_CTYPE
2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9
2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9
2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9/./httping
2024 Mar 31 17:29:07 501 5076 httping -1 2 /etc/.mdns_debug
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_NUMERIC
2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_NUMERIC
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_TIME
2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_TIME
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_COLLATE
2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_COLLATE
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MONETARY
2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_MONETARY
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MESSAGES/LC_MESSAGES
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en/LC_MESSAGES/LC_MESSAGES
2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/local/silo/httping/2.9/share/locale/en/LC_MESSAGES/httping.mo
2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/local/etc/openssl/openssl.cnf
2024 Mar 31 17:29:07 501 5076 httping 4 0 /dev/urandom
2024 Mar 31 17:29:07 501 5076 httping 5 0 /etc/localtime
2024 Mar 31 17:29:07 501 5076 httping 7 0 /usr/share/zoneinfo/UTC
It seems code in mssl.c in initialize_ctx() prevents the standard trust
store to be loaded, because it forces some unsuitable hard-coded "ca_path":
if (ca_path == NULL)#if defined(__NetBSD__)
ca_path = "/etc/openssl/certs";#else
ca_path = "/etc/ssl/certs";#endif
Neither do I run NetBSD, nor do I have "/etc/ssl/certs". I do have
"/usr/local/etc/openssl/cert.pem" and "/usr/local/etc/openssl/certs" here
though.
I do not know much about OpenSSL and its API, but I adjusted the code like
this:
#if 0
if (ca_path == NULL)#if defined(__NetBSD__)
ca_path = "/etc/openssl/certs";#else
ca_path = "/etc/ssl/certs";#endif#else
if (ca_path == NULL)
SSL_CTX_set_default_verify_paths(ctx);#endif
and now it seemingly works for me (no more errors). I do not know if the
above code is correct in any way, but as hotfix it does the trick.
On related note the regular dumping of the warnings entirely broke the
ncurses UI output. It seems the extra newline or something makes things go
wild:
[image: Screenshot]
<https://raw.githubusercontent.com/TurtleWilly/issues/master/httping.png>
------------------------------
HTTPing Version: 2.9 (release tarball)
OpenSSL Version: 3.1.1
OS: OS X 10.10.5 (Yosemite)
—
Reply to this email directly, view it on GitHub
<#16>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUN5IW5LEXJ23ZUEO5A3INDY3AZEZAVCNFSM6AAAAABFQRACT2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTOMBWGY3DGOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Yes, this is on an older OS X. Not sure adding more #ifdefs is a good thing? My path/ example may not agree with other Mac OS X/ OS X/ macOS users. For example they may run OpenSSL via MacPorts or Homebrew installations where paths may be different again. Hence my idea was to query OpenSSL for the path and let it decide what is right (e.g. also allow SSL_CERT_DIR/ SSL_CERT_FILE environment variables for overriding by the user) rather than hardcode anything. I just don't know if that |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm getting a lot of "unable to get local issuer certificate" warnings when pinging https resources:
I did a trace and noted that httping opens openssl libraries fine but never loads any cert file (like curl or wget do which are linked against the very same set of openssl libraries) from the trust stores.
$ sudo opensnoop -ve -n httping STRTIME UID PID COMM FD ERR PATH 2024 Mar 31 17:29:07 501 5076 httping 3 0 . 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/openssl/latest@3/lib/libssl.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/openssl/latest@3/lib/libcrypto.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/fftw/latest/lib/libfftw3.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/gettext/latest/lib/libintl.8.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/libiconv/latest/lib/libiconv.2.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /dev/dtracehelper 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/UTF-8/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/share/locale/UTF-8/LC_CTYPE 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9/./httping 2024 Mar 31 17:29:07 501 5076 httping -1 2 /etc/.mdns_debug 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_NUMERIC 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_NUMERIC 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_TIME 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_TIME 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MONETARY 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_MONETARY 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MESSAGES/LC_MESSAGES 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en/LC_MESSAGES/LC_MESSAGES 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/local/silo/httping/2.9/share/locale/en/LC_MESSAGES/httping.mo 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/local/etc/openssl/openssl.cnf 2024 Mar 31 17:29:07 501 5076 httping 4 0 /dev/urandom 2024 Mar 31 17:29:07 501 5076 httping 5 0 /etc/localtime 2024 Mar 31 17:29:07 501 5076 httping 7 0 /usr/share/zoneinfo/UTCIt seems code in
mssl.cininitialize_ctx()prevents the standard trust store to be loaded, because it forces some unsuitable hard-coded "ca_path":Neither do I run NetBSD, nor do I have "/etc/ssl/certs". I do have "/usr/local/etc/openssl/cert.pem" and "/usr/local/etc/openssl/certs" here though.
I do not know much about OpenSSL and its API, but I adjusted the code like this:
and now it seemingly works for me (no more errors). I do not know if the above code is correct in any way, but as hotfix it does the trick.
On related note the regular dumping of the warnings entirely broke the ncurses UI output. It seems the extra newline or something makes things go wild:
HTTPing Version: 2.9 (release tarball)
OpenSSL Version: 3.1.1
OS: OS X 10.10.5 (Yosemite)
The text was updated successfully, but these errors were encountered: