OpenSSL certificate verify failed

[annatisch]

We are building this as past of a Python project using azure-uamqp-c. However if trying to run it I am consistently getting an OpenSSL error:

uamqp.c_uamqp : b'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'
uamqp.c_uamqp : b'Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR'

However, if I use openssl s_client, I get no issues:

CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 4
verify return:1
depth=0 CN = servicebus.windows.net
verify return:1
---
Certificate chain
 0 s:/CN=servicebus.windows.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
-----BEGIN CERTIFICATE-----
MIIG2DCCBMCgAwIBAgITFgAA5OKof....
-----END CERTIFICATE-----
 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgIQC2qzs....
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=servicebus.windows.net
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3707 bytes and written 470 bytes
---
New, TLSv1/SSLv3, Cipher is ...
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ...
    Session-ID: ...
    Session-ID-ctx:
    Master-Key: ....
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1522701326
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Do you have any suggestions as to how I might debug this issue further? Thanks!

[jebrando]

@annatisch Thank you for the issue, can you please let us know the OS and version you are using.

[dcristoloveanu]

@annatisch @jebrando Is this issue due to the issue https://github.com/Azure/azure-uamqp-c/issues/226 in uAMQP? As the uAMQP issue seems to be resolved, is this issue still needed?

Btw, the call to SSL_CTX_set_default_verify_paths is made so by default the CA certs should be picked up from Ubuntu OSs.

Thanks, /Dan

[annatisch]

Yes - thanks @jebrando and @dcristoloveanu - this issue was due to an invalid cmake configuration.

[annatisch]

Hi @jebrando and @dcristoloveanu,

Turns out my cmake config was not the issue here. Or at least maybe not the only issue. We are getting these cert verify errors when building with use_openssl:bool=ON for both OSX and Linux (we don't use openssl on Windows). Are there any other build config flags that use_openssl is incompatible with or must be combined with? For example - can use_openssl be combined with use_builtin_httpapi:bool=ON (to avoid the libcurl dependency)? Alternatively, if we do take a dependency on libcurl, what would happen if libcurl had not been compiled to support openssl (which doesn't appear to be supported by default)?

In terms of OS, this is happening across multiple versions and distros of Linux (ubuntu, centos, and raspbian) and 10.12/10.13 OSX. We have also tried building against OpenSSL 1.0 and 1.1. Any thoughts would be appreciated :)

[annatisch]

Finally figured this out. When building OpenSSL from source one must specify the --openssldir flag to the location of the ca certs and openssl.cnf on the destination machine. On ubuntu this is /etc/ssl, which is not the build default (/usr/local/ssl).

[tameraw]

@annatisch thank you for your contribution to our open-sourced project!  Please help us improve by filling out this 2-minute customer satisfaction survey.