I was having a good morning. I got to work on time and had a cup of coffee.
The world was good.
Then I see this:
Downloading: https://zlib.net/fossils/zlib-1.2.11.tar.gz
javax.net.ssl.SSLException: hostname in certificate didn't match: <zlib.net> != <amanekaneko.com> OR <amanekaneko.com> OR <cpanel.amanekaneko.com> OR <mail.amanekaneko.com> OR <webdisk.amanekaneko.com> OR <webmail.amanekaneko.com> OR <www.amanekaneko.com>
browsing amanekaneko.com is fascinating, to say the least
me@:~/certs$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz
--2017-10-26 12:20:05-- https://zlib.net/fossils/zlib-1.2.11.tar.gz
Resolving zlib.net... 69.73.182.198
Connecting to zlib.net|69.73.182.198|:443... connected.
ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.
To connect to zlib.net insecurely, use `--no-check-certificate'.
What?!
I see the same across a bunch of build systems. ffs.
Maybe it is the firewall doing something weird.
Nope.
me@:/etc/ssl/certs$ openssl version -a
OpenSSL 0.9.8k 25 Mar 2009
built on: Thu Mar 19 15:32:30 UTC 2015
platform: debian-i386-i686/cmov
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLF
CN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_A
SM -DAES_ASM
OPENSSLDIR: "/usr/lib/ssl"
All certs are here: /etc/ssl/certs
All symlinked to: /usr/share/ca-certificates/
$JAVA_HOME/lib/security/cacerts is the same.
SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt
openssl
apt-get reinstall openssl
apt-get reinstall ca-certificates
cd /usr/lib/ssl/certs
c_rehash
yet.
me@:~$ openssl s_client -connect zlib.net:443
CONNECTED(00000003)
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
I need the /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority certificate.
It is present. Very present.
but.
me@:~$ openssl s_client -CApath /etc/ssl/certs/ -connect zlib.net:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > zlibnet.pem
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
verify return:1
depth=1 /C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
verify return:1
depth=0 /CN=amanekaneko.com
verify return:1
DONE
cat the output and yep. the pem is pem-a-licious.
me@:~$ sudo cp zlibnet.pem /usr/lib/ssl/certs
me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz
--2017-10-26 12:15:48-- https://zlib.net/fossils/zlib-1.2.11.tar.gz
Resolving zlib.net... 69.73.182.198
Connecting to zlib.net|69.73.182.198|:443... connected.
ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.
To connect to zlib.net insecurely, use `--no-check-certificate'.
Nope. Weird. Well, that's new. Let's see what happens if we specify the cert dir.
me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz --ca-certificate=/usr/lib/ssl/certs
--2017-10-26 12:15:48-- https://zlib.net/fossils/zlib-1.2.11.tar.gz
Resolving zlib.net... 69.73.182.198
Connecting to zlib.net|69.73.182.198|:443... connected.
ERROR: certificate common name `amanekaneko.com' doesn't match requested host name `zlib.net'.
To connect to zlib.net insecurely, use `--no-check-certificate'.
No? So. certificate common name doesn't match requested host name. Why?
OpenSSL is too old.
OpenSSL 0.9.8k 25 Mar 2009 <- too old
me@:~$ wget https://zlib.net/fossils/zlib-1.2.11.tar.gz --no-check-certificate
me@:~$ curl https://zlib.net/fossils/zlib-1.2.11.tar.gz --insecure
or
curl -L --remote-name https://zlib.net/fossils/zlib-1.2.11.tar.gz
Thursday, October 26, 2017
openssl is too old. of course.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment