Intermediate SSL certificates
107 views
Skip to first unread message
Jacques-Olivier Haché
Jan 25, 2017, 4:34:42 AM1/25/17
to discuss-webrtc
Hi,
Questions :
I have an issue where libWEBRTC is failing to validate a certificate when trying to gather candidates from a specific TURNS server.
I because it's because it can't find the intermediate certificate.
Here are the logs I can see :
OpenSSLAdapter::OnConnectEventBeginSSL: website.website.comSSL_connect:before/connect initializationSSL_connect:SSLv3 write client hello ASSL_connect:error in SSLv3 read server hello ASSL_connect:error in SSLv3 read server hello ASSL_connect:SSLv3 read server hello AError with certificate at depth: 0issuer = /C=US/O=thawte, Inc./CN=thawte SSL CA - G2subject = /C=US/ST=Colorado/L=DENVER/O=Ecovate, INC./CN=*.website.comerr = 20:unable to get local issuer certificateSSL3 alert write:fatal:unknown CASSL_connect:error in SSLv3 read server certificate BWarning(openssladapter.cc:404): ContinueSSL -- error -1Warning(openssladapter.cc:413): OpenSSLAdapter::Error(ContinueSSL, -1)Questions :
- Do all intermediate certificates have to be built into libWEBRTC, or can it fetch/validate them given the root cert ?
In this case, the root of "thawte SSL CA - G2" is "thawte Primary Root CA", which I think is baked in libWEBRTC - If I need to add this certificate into the build, what is the right place to do that ?
I see certs in src/third_party/catapult/third_party/gsutil,
in src/tools/swarming_client,
in src/webrtc/base
Which ones are actually used ?
Thanks and regards,
J-O
Philipp Hancke
Jan 25, 2017, 4:51:12 AM1/25/17
to discuss...@googlegroups.com
is the TURN server sending the complete chain (w/o the root certificate)? Most of the time the issue with intermediate certificates is either
1/ the server software not using SSL_CTX_use_certificate_chain_file
2/ a configuration error where the intermediate certificates in the chain are not included in the file read by SSL_CTX_use_certificate_chain_file
openssl s_client -connect server:port
should make it easy to debug, it shows the certificate chain sent by the server nicely.
This email and any files transmitted with it are for the sole use of the intended recipient and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this email is strictly prohibited and may be unlawful. Thank you for your cooperation.2016, Temasys (www.temasys.io)--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/0d7e8df9-84b7-4010-ad8a-954f9da7bfe4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jacques-Olivier Haché
Jan 25, 2017, 5:14:48 AM1/25/17
to discuss-webrtc
Hi
Yeah, openssl does return an incomplete chain.
I don't have access to this server myself, but I'll try to get it modified to send the whole chain.
I don't have access to this server myself, but I'll try to get it modified to send the whole chain.
Thanks for the quick answer :)
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages