How do I, a client, get a copy of an untrusted server certificate?
22 views
Skip to first unread message
Sage Gerard
Apr 12, 2021, 9:20:25 AM4/12/21
to Racket Users
When ssl-connect fails due to an untrusted certificate, this error is
raised:
ssl-connect: connect failed (error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed)
I'd like to give the user a more helpful error, like this:
Could not connect due to an untrusted certificate. In many cases, it is
not advisable to proceed. However, if you trust the server at
example.com, add /tmp/example.com.cert to your trusted certificates
using this guide: <guide link>
How can I get a copy of the offending certificate so that I can do this?
--
~slg
raised:
ssl-connect: connect failed (error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed)
I'd like to give the user a more helpful error, like this:
Could not connect due to an untrusted certificate. In many cases, it is
not advisable to proceed. However, if you trust the server at
example.com, add /tmp/example.com.cert to your trusted certificates
using this guide: <guide link>
How can I get a copy of the offending certificate so that I can do this?
--
~slg
Ryan Culpepper
Apr 12, 2021, 10:16:14 AM4/12/21
to Sage Gerard, Racket Users
Racket does not provide a way to do that.
You can use `openssl s_client -showcerts -connect host:port < /dev/null` to get the server's certificate chain in PEM form (with other logs around it). Of course, an attacker could intercept the connection and send you their CA certificate instead. It would be safer if example.com published their certificate in a (standardly) trusted location.
If you do something like this, consider mitigating the danger by having the user add the certificate to a separate location managed by your application rather than the OS trust store. You can extend the `ssl-default-verify-sources` parameter to point to a file containing additional root certificates.
Ryan
--
You received this message because you are subscribed to the Google Groups "Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/8a55256d-71ed-b47f-5b92-c958438c5659%40sagegerard.com.
Sage Gerard
Apr 12, 2021, 10:24:00 AM4/12/21
to Racket Users
Understood, thank you. By "trusted location," do you mean a
server with a certificate that operating systems already trust?
-- ~slg
Ryan Culpepper
Apr 12, 2021, 10:43:59 AM4/12/21
to Sage Gerard, Racket Users
Yes, that's right.
Ryan
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com.
Sage Gerard
Apr 12, 2021, 10:58:03 AM4/12/21
to Racket Users
Ok, much appreciated. For those reading, I'm pivoting to this phrasing.
--
Could not connect to example.com due to an unverified certificate.
You can address this by downloading the certificate from a source
your operating system trusts (to mitigate man-in-the-middle
attacks), then adding the certificate to XIDEN_TRUST_CERTIFICATES.
Original exception follows: ...
-- ~slg
Reply all
Reply to author
Forward
0 new messages