Hi Jakub,
While working on the OpenSSL 1.1 integration, I've stumbled over this issue with the sni server test ext/openssl/tests/sni_server.phpt which fails with
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
I debugged through it and in the end it turns out, that likely the test CA might be not compatible with the latest OpenSSL, at least with the vanilla build with the default options. I use the default OpenSSL build with static engines, as usual. It excludes quite some weak functionality, so I guess we've no actual bug. Please also see the checks I made with the console tool
C:\php-sdk\php71\vc14\x64\php-src
$ openssl version
OpenSSL 1.0.2k 26 Jan 2017
C:\php-sdk\php71\vc14\x64\php-src
$ openssl.exe verify -CAfile ext\openssl\tests\sni_server_ca.pem ext\openssl\tests\sni_server_domain1.pem
ext\openssl\tests\sni_server_domain1.pem: OK
On master with OpenSSL 1.1 however, seems the CA is invalid
C:\php-sdk\phpmaster\vc15\x64\php-src
$ openssl version
OpenSSL 1.1.0e 16 Feb 2017
C:\php-sdk\phpmaster\vc15\x64\php-src
$ openssl verify -CAfile ext\openssl\tests\sni_server_ca.pem ext\openssl\tests\sni_server_domain1.pem
C = US, ST = SC, L = Myrtle Beach, O = php.tests subordinate, CN = php.tests.subordinate
error 24 at 1 depth lookup: invalid CA certificate
error ext\openssl\tests\sni_server_domain1.pem: verification failed
As mentioned, there's likely no bug, but I think it were not bad to double check this test. A fix to it could be to just produce another keys and CA with stronger dependency. I currently added a skip to the aforementioned test in master, mainly as I'm about to switch AppVeyor to newer deps and vc15 and the test were producing the fails all the time. Also not sure, which OpenSSL version Travis runs currently, but I had this test failing on Linux with the vanilla OpenSSL 1.1 build as well.
Thanks
Anatol
Hi Anatol
Hi Jakub,
While working on the OpenSSL 1.1 integration, I’ve stumbled over this
issue with the sni server test ext/openssl/tests/sni_server.phpt which
fails witherror:1416F086:SSL routines:tls_process_server_certificate:certificate
verify failedI debugged through it and in the end it turns out, that likely the test CA
might be not compatible with the latest OpenSSL, at least with the vanilla
build with the default options. I use the default OpenSSL build with static
engines, as usual. It excludes quite some weak functionality, so I guess
we’ve no actual bug. Please also see the checks I made with the console toolC:\php-sdk\php71\vc14\x64\php-src
$ openssl version
OpenSSL 1.0.2k 26 Jan 2017
C:\php-sdk\php71\vc14\x64\php-src
$ openssl.exe verify -CAfile ext\openssl\tests\sni_server_ca.pem
ext\openssl\tests\sni_server_domain1.pemext\openssl\tests\sni_server_domain1.pem: OK
On master with OpenSSL 1.1 however, seems the CA is invalid
C:\php-sdk\phpmaster\vc15\x64\php-src
$ openssl version
OpenSSL 1.1.0e 16 Feb 2017
C:\php-sdk\phpmaster\vc15\x64\php-src
$ openssl verify -CAfile ext\openssl\tests\sni_server_ca.pem
ext\openssl\tests\sni_server_domain1.pemC = US, ST = SC, L = Myrtle Beach, O = php.tests subordinate, CN =
php.tests.subordinateerror 24 at 1 depth lookup: invalid CA certificate
error ext\openssl\tests\sni_server_domain1.pem: verification failed
As mentioned, there’s likely no bug, but I think it were not bad to double
check this test. A fix to it could be to just produce another keys and CA
with stronger dependency. I currently added a skip to the aforementioned
test in master, mainly as I’m about to switch AppVeyor to newer deps and
vc15 and the test were producing the fails all the time. Also not sure,
which OpenSSL version Travis runs currently, but I had this test failing on
Linux with the vanilla OpenSSL 1.1 build as well.
Yep I have been looking a little bit and it really seems that it is about
the CA cert and OpenSSL 1.1 is a bit more strict about verification of it.
IIRC it was failing on extension part when I was quickly debugging it. When
I check purpose using
$ openssl x509 -in sni_server_ca.pem -purpose
then it is visible that the cert is not a server CA which should probably
be but not sure if that's the reason. I think we will need to use a
different cert for that test. I have got it on my todo list so hopefully
will add something more sensible that works soon unless you want to do it.
Until then skip is fine ;)
Cheers
Jakub
Hi Jakub,
-----Original Message-----
From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of Jakub
Zelenka
Sent: Thursday, March 23, 2017 9:19 PM
To: Anatol Belski ab@php.net
Cc: PHP internals list internals@lists.php.net
Subject: Re: OpenSSL 1.1 test keys
Yep I have been looking a little bit and it really seems that it is about the CA cert
and OpenSSL 1.1 is a bit more strict about verification of it. IIRC it was failing on
extension part when I was quickly debugging it. When I check purpose using$ openssl x509 -in sni_server_ca.pem -purpose
then it is visible that the cert is not a server CA which should probably be but not
sure if that's the reason. I think we will need to use a different cert for that test.
I have got it on my todo list so hopefully will add something more sensible that
works soon unless you want to do it. Until then skip is fine ;)
Thanks for the confirmation. Linking Daniel as well as the patch author. I'd prefer you guys to care about the new test data, probably the most reliable way to do it :)
Thanks
Anatol