Certificate not trusted

[corbinu]

Hello,

I am having an issue where iojs returns a 'Certificate not trusted error' This does not return in node 0.12. I am trying to figure out if this is something wrong with the cert or something wrong iojs

Thanks for any help you can give.

The request is to address.melissadata.net

Here is the output from openssl verifying the cert

openssl s_client -CApath /etc/ssl/certs/  -connect address.melissadata.net:443 | openssl x509 -text
depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com
verify return:1
depth=2 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
verify return:1
depth=0 O = *.melissadata.net, OU = Domain Control Validated, CN = *.melissadata.net
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1165748711591655 (0x4243e05da0ee7)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority/serialNumber=10688435
        Validity
            Not Before: Dec  1 16:04:11 2011 GMT
            Not After : Sep 29 18:08:43 2015 GMT
        Subject: O=*.melissadata.net, OU=Domain Control Validated, CN=*.melissadata.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c0:7d:75:76:55:80:75:b1:c8:6d:f4:32:6a:b4:
                    17:bc:67:11:ad:6c:82:b5:fb:3c:c5:17:6b:06:1b:
                    1d:fb:56:76:22:c5:3a:96:c7:e5:38:ab:b6:cb:fc:
                    f5:29:f1:94:c2:4e:8a:f1:d0:9d:70:f2:dc:f6:08:
                    64:33:0c:9c:5e:2c:a9:b2:f4:70:69:08:72:1c:60:
                    e7:7a:1d:a6:83:91:c5:4d:ae:2c:50:36:ca:50:56:
                    7f:c0:3e:6b:f2:10:fc:87:63:4b:7c:e2:ca:44:4a:
                    75:76:7e:ba:77:e5:35:34:8b:66:14:eb:e3:6d:ab:
                    90:fa:78:4f:dd:94:00:2d:52:69:ac:0a:20:31:c2:
                    28:15:18:ce:83:c3:64:aa:af:db:13:73:83:81:b5:
                    aa:4c:85:73:d2:8e:24:b7:ab:3b:6c:38:14:7f:eb:
                    06:70:64:45:21:d9:53:38:64:cc:a6:c6:5b:da:9c:
                    8e:12:0a:c4:07:ba:6e:b0:74:b4:6c:3e:18:5e:38:
                    3e:29:34:18:08:b8:76:c8:b0:98:be:8a:fa:ea:09:
                    bd:09:37:b6:72:08:4d:19:52:e8:d2:63:74:d0:97:
                    5e:24:61:ef:1f:59:c4:ef:5a:f4:8d:0d:dc:8f:3d:
                    23:ec:3c:e6:89:e0:5a:c4:ac:88:e7:f4:7c:fe:25:
                    a4:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.starfieldtech.com/sfs1-21.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114414.1.7.23.1
                  CPS: http://certificates.starfieldtech.com/repository/

            Authority Information Access:
                OCSP - URI:http://ocsp.starfieldtech.com/
                CA Issuers - URI:http://certificates.starfieldtech.com/repository/sf_intermediate.crt

            X509v3 Authority Key Identifier:
                keyid:49:4B:52:27:D1:1B:BC:F2:A1:21:6A:62:7B:51:42:7A:8A:D7:D5:56

            X509v3 Subject Alternative Name:
                DNS:*.melissadata.net, DNS:melissadata.net
            X509v3 Subject Key Identifier:
                5C:75:00:02:B7:F6:23:67:2A:8B:1D:09:12:28:F9:72:12:E3:A2:2D
    Signature Algorithm: sha1WithRSAEncryption
         83:b2:df:87:ee:eb:db:30:9d:be:d6:4f:b7:cb:80:c5:e5:d7:
         58:c0:01:9c:7b:6f:1c:f8:56:8d:73:72:4e:90:1d:b8:27:80:
         c3:be:b7:c9:ba:35:55:8c:02:32:4b:1c:dd:83:a2:bf:44:5f:
         0c:73:3f:d3:34:9d:68:20:4d:82:22:98:b5:3c:60:e6:63:0d:
         26:ce:cc:df:6b:93:0d:2c:ba:50:88:d2:10:25:07:a8:44:4b:
         d2:01:0a:3f:76:6d:dc:2b:c1:14:27:a0:6e:6a:f6:cb:c2:96:
         3c:63:7d:c8:7c:53:56:51:ba:16:44:90:63:be:0d:f7:e8:7c:
         8a:0d:81:21:10:04:db:d8:0c:e6:2d:c3:5f:8f:3d:f1:97:ba:
         2b:e0:7e:7c:30:b6:32:c7:96:6e:9c:24:d0:f6:6f:47:97:f2:
         1b:30:4e:1d:9d:e8:b6:c9:e7:56:90:37:94:cd:01:a3:31:b1:
         26:cf:90:8c:15:0f:ad:d3:00:d6:a4:cb:39:e0:4d:af:e9:32:
         59:f4:4a:cf:ca:9d:c0:d7:c2:73:3f:a7:98:93:1e:d5:99:42:
         5e:83:5e:b1:b3:56:ce:1a:b1:e6:3c:45:65:bb:e1:2f:06:5e:
         e7:b1:e6:b0:11:bd:ab:d6:eb:13:3b:f1:a2:c8:0f:5f:10:08:
         04:07:e0:7e
-----BEGIN CERTIFICATE-----
MIIFlDCCBHygAwIBAgIHBCQ+BdoO5zANBgkqhkiG9w0BAQUFADCB3DELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAj
BgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOTA3BgNVBAsTMGh0
dHA6Ly9jZXJ0aWZpY2F0ZXMuc3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeTEx
MC8GA1UEAxMoU3RhcmZpZWxkIFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTERMA8GA1UEBRMIMTA2ODg0MzUwHhcNMTExMjAxMTYwNDExWhcNMTUwOTI5MTgw
ODQzWjBbMRowGAYDVQQKFBEqLm1lbGlzc2FkYXRhLm5ldDEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRowGAYDVQQDFBEqLm1lbGlzc2FkYXRhLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMB9dXZVgHWxyG30Mmq0
F7xnEa1sgrX7PMUXawYbHftWdiLFOpbH5Tirtsv89SnxlMJOivHQnXDy3PYIZDMM
nF4sqbL0cGkIchxg53odpoORxU2uLFA2ylBWf8A+a/IQ/IdjS3ziykRKdXZ+unfl
NTSLZhTr422rkPp4T92UAC1SaawKIDHCKBUYzoPDZKqv2xNzg4G1qkyFc9KOJLer
O2w4FH/rBnBkRSHZUzhkzKbGW9qcjhIKxAe6brB0tGw+GF44Pik0GAi4dsiwmL6K
+uoJvQk3tnIITRlS6NJjdNCXXiRh7x9ZxO9a9I0N3I89I+w85ongWsSsiOf0fP4l
pNECAwEAAaOCAdkwggHVMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA5BgNVHR8EMjAwMC6gLKAq
hihodHRwOi8vY3JsLnN0YXJmaWVsZHRlY2guY29tL3NmczEtMjEuY3JsMFkGA1Ud
IARSMFAwTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0cDovL2NlcnRp
ZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzCBjQYIKwYBBQUH
AQEEgYAwfjAqBggrBgEFBQcwAYYeaHR0cDovL29jc3Auc3RhcmZpZWxkdGVjaC5j
b20vMFAGCCsGAQUFBzAChkRodHRwOi8vY2VydGlmaWNhdGVzLnN0YXJmaWVsZHRl
Y2guY29tL3JlcG9zaXRvcnkvc2ZfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAW
gBRJS1In0Ru88qEhamJ7UUJ6itfVVjAtBgNVHREEJjAkghEqLm1lbGlzc2FkYXRh
Lm5ldIIPbWVsaXNzYWRhdGEubmV0MB0GA1UdDgQWBBRcdQACt/YjZyqLHQkSKPly
EuOiLTANBgkqhkiG9w0BAQUFAAOCAQEAg7Lfh+7r2zCdvtZPt8uAxeXXWMABnHtv
HPhWjXNyTpAduCeAw763ybo1VYwCMksc3YOiv0RfDHM/0zSdaCBNgiKYtTxg5mMN
Js7M32uTDSy6UIjSECUHqERL0gEKP3Zt3CvBFCegbmr2y8KWPGN9yHxTVlG6FkSQ
Y74N9+h8ig2BIRAE29gM5i3DX4898Ze6K+B+fDC2MseWbpwk0PZvR5fyGzBOHZ3o
tsnnVpA3lM0BozGxJs+QjBUPrdMA1qTLOeBNr+kyWfRKz8qdwNfCcz+nmJMe1ZlC
XoNesbNWzhqx5jxFZbvhLwZe57HmsBG9q9brEzvxosgPXxAIBAfgfg==
-----END CERTIFICATE-----

[shigeki]

This is an another case of #402 . The ValiCert Class 2 of 1024bit RSA was removed but iojs refers it due to a cross root cert on this site. The patch of openssl are not still applied yet. Do we restore https://github.com/joyent/node/blob/v0.12/src/node_root_certs.h#L227-L243 ?

CC: @bnoordhuis @indutny

[shigeki]

A good news is that a patch to fix has just been landed in the upstream master. http://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest . I will try to backport it to 1.0.2 and tests if the issue is resolved.

[corbinu]

Thanks much!

[shigeki]

Confirmed that the issue was resolved with 4ffbc5bebfbcfaf7e15efb957f9f00bfe237b924 and 0aa79f6e7be1021176253b0e65b43b6e6bc4e69c in https://github.com/shigeki/io.js/tree/GH-923 .

$ cat ~/tmp/tls_alt_cert_chains/tls_alt_cert_chain_check.js
// check alt cert chain patch works well by testing to
//  tls server which has a cross root cert.
var tls = require('tls');
var client = tls.connect(443, 'address.melissadata.net', function() {
  console.log('TLS connected');
  client.destroy();
});
client.on('error', function(err) {
  console.log(err);
});
$ ./iojs ~/tmp/tls_alt_cert_chains/tls_alt_cert_chain_check.js
TLS connected

@indutny @bnoordhuis Can we take these patch to openssl-1.0.2 . My upgrading work is almost finished and only writing a doc is remained.

[indutny]

@shigeki hell yes! Let's do it!

[corbinu]

Just wondering the status on this? are we just waiting on openssl to merge?

[shigeki]

@corbinu Sorry for waiting. I'm working on it but it's not finished yet. I will submit a PR to add ValiCert Class 2 today.

[corbinu]

Thanks very much for your time on this!

[shigeki]

@corbinu Thank you for your patience. The fix has just been landed in d8c4a93. I'd like you to confirm that the issue is really resolved.

[corbinu]

@shigeki Thanks so much work like a charm