1

I have a self-signed certificate (and CA) created on a Mac using OpenSSL 0.9.8zc. I use the certificate to secure connection to my svn server. With the latest OS X update, OpenSSL was updated to 0.9.8zd. Now I cannot connect to my server, I get "certificate verify failed" from svn.

Using openssl verify:

openssl verify -CAfile ~/Desktop/Certificates.pem -check_ss_sig  ~/Downloads/svn.pem

I get 

~/Downloads/svn.pem: /CN=My Open Directory Certification Authority/O=Me/OU=MACOSX OpenDirectory Root CA/emailAddress=webmaster@me
error 7 at 2 depth lookup:certificate signature failure

It looks like the signature of my CA is now considered "broken". My questions:

  1. How can I investigate further to figure out what is "broken" exactly about my certificate, so I do not repeat this mistake?

  2. Is there a way to fix this short of reissuing every certificate starting with CA?

Improve this question

3 Answers 3

Reset to default
1

It seems this is a problem with Certificate Assistant producing subtly malformed certificates that the new tighter checks of openssl 0.9.8zd reject. This comes from a discussion at openssl.org 1

It includes at the end a python script to fix a .pem certificate which I managed to use successfully, I quote it in case the link is broken...

from pyasn1.codec.der import decoder, encoder   
from pyasn1_modules import pem, rfc2459

cert_der = pem.readPemFromFile(open("RabbitMQ_Test.pem", "r"))
        cert, _ = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())

cert.setComponentByName("signatureAlgorithm",
                                cert.getComponentByName("tbsCertificate").
                                getComponentByName("signature"))

fixed_cert_pem = open("RabbitMQ_Test_Fixed.pem", "w")
fixed_cert_pem.write("-----BEGIN CERTIFICATE-----\n")
fixed_cert_pem.write(encoder.encode(cert).encode("base64"))
fixed_cert_pem.write("-----END CERTIFICATE-----\n")
fixed_cert_pem.close()
Improve this answer
1
  • Yes, it looks like a fix. I ran both the Certificate chain pem file and the svn certificate through the script and the final openssl verify test went through without errors. So it seems that OS X utility generates certificates with mismatched signature algorithm names in TBS and the signature. Now, I need to see if I can get OS X Server OD to accept the corrected certificate.
    – Anton
    Commented Apr 16, 2015 at 19:56
0

If you're on OS X 10.10.3 and this just started happening:

NB: This is a temporary workaround, it seems like the problem is further upstream

I suddenly started having this error appear as a result of upgrading OSX to 10.10.3 - as you said, it seems that the break is caused by the new version of OpenSSL (0.9.8zd) they have included.

As a workaround until we get to the bottom if this, I made use of homebrew's OpenSSL package - 

$ brew update
$ brew install openssl
$ brew link openssl --force

you might also need to update stale certs, which with rvm is just a case of running 

$ rvm osx-ssl-certs update all

But by the sound of it you know what you're doing there

It's also worth noting that homebrew recommends against linking openssl, so once this is sorted out upstream you will probably want to run this to clean up the mess we made: 

$ brew unlink openssl
Improve this answer
5
  • Thank you. but I'm not sure I want to downgrade OpenSSL. I'm also not sure that this going to be fixed upstream. From the description of OpenSSL changes, they did introduce some fixes that made the certificate validation more strict and this is a good thing. And, these changes stay in the following versions of OpenSSL.
    – Anton
    Commented Apr 14, 2015 at 6:13
  • openssl installed by homebrew is OpenSSL 1.0.2a 19 Mar 2015. the version installed by OS X is 0.9.8zd.
    – abradner
    Commented Apr 15, 2015 at 2:09
  • I see, you are suggesting to upgrade. I misunderstood. But my certificate would still be "broken", would it not?
    – Anton
    Commented Apr 16, 2015 at 4:33
  • That i'm not sure. unlinking and/or uninstalling the homebrew openssl after you experiment will put your system back in its existing state.
    – abradner
    Commented Apr 16, 2015 at 6:06
  • Also i'm finding that multiple apps (like ruby) aren't finding the new ssl ca file which seems to be the root of my problem. can you try something - can you specify a different ca file before running your script? eg SSL_CERT_FILE=/Library/Caches/Homebrew/openssl--Equifax_CA-Secure.pem <command> In that example I'm using the pem file that is installed when I install homebrew openssl, but you can probably use any valid ca pem.
    – abradner
    Commented Apr 16, 2015 at 6:10
0

I had a similar problem when trying to connect to an Apache server running on 10.10.3 using client & server certificates. The python script worked on the SSL server certificate for Apache to use, but Safari still couldn't connect to the server using the client certificate in the keychain; the Apache server was rejecting the client certificate.

I had to export the client certificate, use the python script on it, and import it back into the keychain to replace the original.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .