Forum Bugs

Certificate validation on EV wildcard domain

Jeroen Pulles
Hi,

I'm having trouble with downloading resources (stylesheet etc) from an HTTPS site that is using an EV wildcard certificate. A simple curl works, with the verbose option turned on, it says:

"subjectAltName: blah.domain matched"
...
"* SSL certificate verify ok."

Prince complains, however:

prince: https://blah.domain/style.css: warning: server certificate verification failed. CAfile: /usr/lib/prince/etc/curl-ca-bundle.crt CRLfile: none

I also tried curl with the prince-bundled crt file, that also works;

I tried prince with the system bundle, that doesn't work either;

I tried wget but that doesn't seem to tell anything about certificate validation.

kind regards,
Jeroen

---
jeroenp@host:~$ ldd /usr/lib/prince/bin/prince | egrep 'ssl|tls|cryp'
libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4
libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11
libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1

jeroen@host:~$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
mikeday
Which Linux distribution are you running Prince on, and which Prince package did you install? It looks like Prince is using libcurl with GnuTLS, while curl itself is using OpenSSL?
Jeroen Pulles
Yes, that's what I noticed; Not sure why.

It's the prince_9.0-5_ubuntu14.04_amd64.deb package installed on a 14.04 Ubuntu.

--
jeroen@host:~$ dpkg -l | egrep 'ssl|gnutls|prince'
ii libcurl3-gnutls:amd64 7.35.0-1ubuntu2 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.1 amd64 GNU TLS library - OpenSSL wrapper
ii libgnutls26:amd64 2.12.23-12ubuntu2.1 amd64 GNU TLS library - runtime library
ii libssl1.0.0:amd64 1.0.1f-1ubuntu2.5 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.0.1f-1ubuntu2.5 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii prince 9.0-5 amd64 formatter for converting XML and HTML into PDF
ii python-openssl 0.13-2ubuntu6 amd64 Python 2 wrapper around the OpenSSL library
ii rsyslog-gnutls 7.4.4-1ubuntu2.1 amd64 TLS protocol support for rsyslog
Jeroen Pulles
It's the Ubuntu 14.04 Server edition, by the way, which is a fairly minimal install.

The gnutls packages may have only been installed because I'm using rsyslog-gnutls; I'm not sure if they're in the base install of 14.04 Server.
Jeroen Pulles
No complaints with the static build.

(I would prefer a version that uses the system supplied SSL library, that makes it easier to stay up-to-date.)
mikeday
We will need to do some further investigation. libcurl seems to have GnuTLS and OpenSSL variants available, and perhaps installed by default? I'm not sure which one is used preferentially when both are installed.
mikeday
We have fixed this issue in the latest alpha version, by linking preferentially with the libcurl library that uses OpenSSL, not GnuTLS.
marknijhof
Hi Mike,

I am running some tests with the PrinceXML toolkit on my local machine and I am running into issues with self signed certs. I just downloaded the latest alpha:

(master) > prince --version
Prince 20150210
Copyright 2002-2015 YesLogic Pty. Ltd.

But I am still getting the following error:

prince https://localhost:8080/generated/b6669ad8-bbaf-11e4-bdd8-040ccee148d6/00000024.html -o test.pdf
prince: https://localhost:8080/generated/b6669ad8-bbaf-11e4-bdd8-040ccee148d6/00000024.html: error: SSL certificate problem: self signed certificate
prince: https://localhost:8080/generated/b6669ad8-bbaf-11e4-bdd8-040ccee148d6/00000024.html: error: could not load input file
prince: error: no input documents to process

Is there a setting that I should use? For now I'll just disable SSL but it would be nice to be able to test these things on our local machines.

-Mark

mikeday
Does curl work on the same URL? Prince uses libcurl, so it should be consistent.
marknijhof
Only with the --insecure option
mikeday
The curl documentation describes how to support self-signed certificates under Certificate Verification. Looks like you either need --insecure, or you need to update the CA cert bundle (that Prince also uses).
marknijhof
I will look at fixing our local cert :) (I missed the insecure option in the documentation, good to know it is there though)

Thanks