Comments (4)
Weird... I get "Certificate is NOT Trusted" on Ubuntu and Windows.
Are you using the Mac's default OpenSSL library or did you build your own ?
I know that Apple has changed the OpenSSL library that comes with Mac OS X to
automatically use Apple's trust store whenever an SSL connection is made (!!).
However it doesn't seem like CACert is part of that trust store anyway
(http://wiki.cacert.org/InclusionStatus). I'll investigate; thanks for the
feedback.
Original comment by [email protected]
on 28 Mar 2012 at 5:21
- Changed state: Accepted
from sslyze.
I'm using the default Python, so I guess that will be the Apple OpenSSL library.
If you want to validate with the Mozilla CA store only, you probably need to
explicitly disable built in trust anchors. It would be quite useful if sslyze
could report trust with the default OS CA store and Mozilla independently.
Original comment by [email protected]
on 28 Mar 2012 at 7:00
from sslyze.
Yeah default trust stores should definitely be disabled as the current result
is misleading and wrong. That's something I'll fix.
Validating the server cert against the OS store seems a bit annoying to
implement. The location of the OS's CA store will be quite specific to the OS
(and it also changes between Linux distros I think). Writing specific cases for
each platform and OS would be too much work and I don't think it's a feature
that lots of users will want to have ?
Original comment by [email protected]
on 29 Mar 2012 at 2:16
from sslyze.
Turns out there's not much I can do. Apple patched/hacked the OpenSSL lib that
ships with Snow Leopard. They changed X509_verify_cert() to automatically fall
back to the OS trust store if the cert verification failed. This is an issue of
Snow Leopard, and it would not be trivial to "fix" it within SSLyze.
Relevant links:
http://bugs.ruby-lang.org/issues/3150
http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/
x509_vfy_apple.h
Original comment by [email protected]
on 7 Apr 2012 at 11:58
- Changed state: WontFix
from sslyze.
Related Issues (20)
- Shebang on sslyze.py must be first line HOT 3
- Fedora 16 x64 support HOT 2
- Hangup with Openssl 1.0.0g HOT 2
- XML output HOT 2
- Machine parseable output HOT 8
- Unhandled exception HOT 3
- Support for detecting extensions supported by a scanned server. HOT 2
- IIS always replies with HTTP 400 Bad Request HOT 1
- Add hostname validation HOT 2
- Display Subject Alternative Name extension for --certinfo=basic HOT 1
- PicklingError: Can't pickle plugins.PluginBase.PluginResult: it's not the same object as plugins.PluginBase.PluginResult HOT 7
- Socket.timeout for --reneg and --certinfo (using --https_tunnel) HOT 4
- Add Location header to output for 3xx status HOT 2
- Unhandled exception in _get_cert() HOT 2
- Exception --certinfo=basic HOT 3
- Syntax error while executing the script on Linux server HOT 4
- Add support for OpenSSL 1.0.1 with TLS v1.1 and v1.2 HOT 2
- STARTTLS support? HOT 7
- updated openssl and still get error message HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sslyze.