lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]




On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <quae@daurnimator.com> wrote:
On Wed, 1 May 2019 at 06:46, Russell Haley <russ.haley@gmail.com> wrote:
>
> Hi,
>
> I'm trying to create a little http(s) client using lua-http. I've never run into these issues before so I think they are related to Ubuntu, but I'm (clearly) no expert. My current platform is Ubuntu 18 LTS. I was initially receiving what I'll describe as a missing cipher error when I was using openssl 1.1.0 so I upgraded to 1.1.1a based on the directions here:
>
> https://askubuntu.com/questions/1102803/how-to-upgrade-openssl-1-1-0-to-1-1-1-in-ubuntu-18-04
>
> I removed and reinstalled lua-http/cqueues/luaossl after the upgrade and now I am getting the following errors:
>
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://www.starfishmedical.com"
> starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://google.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:unable to get local issuer certificate
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://verisign.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate in certificate chain
>
> I checked luaossl to ensure it's pointing at the correct version of openssl and everything seems copacetic. I've used luarocks to create a "package" repository, so the init.lua file simply sets the package.path and package.cpath to point to the correct lua_modules directory (same as the lua code at the bottom of this message).
>
> russellh@sfm-dev:~/lua/sfiot_client$ ./lua -i init.lua
> Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> > ssl = require 'openssl'
> > for i,v in pairs(ssl) do print(i,v) end
> SSLEAY_BUILT_ON 2
> NO_MD2 true
> SSLEAY_PLATFORM 3
> NO_SCTP true
> SSLEAY_VERSION_NUMBER 269488175
> SSLEAY_VERSION 0
> NO_RC5 true
> SSLEAY_CFLAGS 1
> SHLIB_VERSION_NUMBER 1.1
> NO_STATIC_ENGINE true
> extensionSupported function: 0x7fb87ff08840
> SSLEAY_DIR 4
> version function: 0x7fb87ff15750
> NO_UNIT_TEST true
> SHLIB_VERSION_HISTORY
> VERSION_TEXT OpenSSL 1.1.1b  26 Feb 2019
> VERSION_NUMBER 269488175
>
> I recognize that all three errors are different, but I'm wondering if I'm missing a root CA package? I also recognize that this could be asked on the askubuntu site, or even an openssl support site, or even the lua-http github site, but I thought I'd start here for future searchability. Finally, here is my source code:
>
>
> package.cpath = './lua_modules/lib/lua/5.3/?.so;./?.so'
> package.path = './lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./?.lua;./?/init.lua'
>
> local request = require 'http.request'
> local rolling_logger = require "logging.rolling_file"
> local conf = require('config')
>
> local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
> if not logger then
> print("logger failed")
> os.exit(-1)
> end
>
> local uri = arg[1]
> local req_timeout = 10
>
> local req = request.new_from_uri(uri)
>
> local headers, stream = req:go(req_timeout)
> if headers == nil then
> logger:error("failed. no headers")
> --return nil, "request failed"
> --io.stderr:write(tostring(stream), "\n")
> --os.exit(1)
> end
>
> if not stream then
> print('no stream')
> else
> print(stream)
> --~ for i,v in pairs(stream) do
> --~ print (i,v)
> --~ end
> os.exit(-1)
> local body, err = stream:get_body_as_string()
> if not body and err then
> logger:error("failed. no body.")
> --return nil, "request failed."
> else
> print(body)
> end
> end
>
> Thanks,
> Russ

My guess is that your system is missing the root CAs.

luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
to load your system's trust roots.
I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:

russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = starfishmedical.com
verify return:1
---
Certificate chain
 0 s:CN = starfishmedical.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
...

If I include -CApath /etc/ssl/certs, then everything works fine:

russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = starfishmedical.com
verify return:1
---
Certificate chain
 0 s:CN = starfishmedical.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
...

There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.

Russ