Openssl problem

Paul Schmehl pschmehl_lists at
Sun Nov 12 20:06:32 UTC 2017

Since openssl is now in base, I hope this is the appropriate list for these 

I'm running FreeBSD 10.3-RELEASE with # openssl version
OpenSSL 1.0.1s-freebsd  1 Mar 2016

This is the FreeBSD base version of openssl, not the ports version. I have 
ssh access to the server and can sudo to root.

Please note: In the error messages below, I have removed some of the 
pathing so as not to reveal the exact locations on the server.

I have two problems.

When I use https with an rss reader module in Joomla, I get this error: 
Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: 
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify 
failed in /Sites/ on line 
335 Warning: fopen(): Failed to enable crypto in 
/Sites/ on line 335 
Warning: fopen( failed to open stream: 
operation failed in 
/Sites/ on line 335

I've worked around this problem by not forcing https on the blog. That way 
the module can read the rss feed without encryption. The blog works without 
SSL and with SSL, and I force SSL for logins.

I had someone test the feed from a different server, and it worked fine 
with SSL, so the problem appears to be isolated to this server.

The second problem occurs when I try to run some commandline python 
scripts, I get this error: requests.exceptions.ConnectionError: 
HTTPSConnectionPool(host='', port=443): Max retries exceeded 
with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL 
routines', 'ssl3_get_server_certificate', 'certificate verify 
<class 'requests.exceptions.ConnectionError'>

Both of them appear to be related to how openssl handles ssl sessions.

Even more confusing, if I verify the cert from the commandline, openssl 
says it's OK.
openssl verify -untrusted STAR_vvfh_org.crt
STAR_vvfh_org.crt: OK

If I verify the cert without the chain, I get an error:
openssl verify STAR_vvfh_org.crt
STAR_vvfh_org.crt: OU = Domain Control Validated, OU = PositiveSSL 
Wildcard, CN = *
error 20 at 0 depth lookup:unable to get local issuer certificate

This is my apache (2.4) config:
 # Enable SSL
    SSLEngine On
    SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCertificateFile /webcerts/STAR_vvfh_org.crt
    SSLCertificateKeyFile /webcerts/

I've been working around the problem, but I'd like to figure it out and get 
it fixed.

Paul Schmehl, Retired
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

More information about the freebsd-questions mailing list