Page MenuHomePhabricator
Create Task
Maniphest T8914

Refine libphutil/resources/ssl/README
Open, Needs TriagePublic
Actions

Description

Hi everyone,

I just started to use arcanist on a linux system in combination with an instance of Phabricator, which uses a self-signed SSL cert.
All the hints arc printed were just great (even told which php-modules are missing - WOW)! When all requirements were met, I got this:

mr@judge:~$ arc install-certificate
Trying to connect to server...
Usage Exception: Failed to connect to server (https://phabricator.marc-richter.info/api/): [cURL/60] (https://phabricator.marc-richter.info/api/conduit.ping) 
<CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are 
using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
mr@judge:~$

This is also true - arc recognized my self-signed cert and pointed me to read [[https://secure.phabricator.com/T8914 | libphutil/resources/ssl/README]], which contains the relevant info.
But inside that file, it is quite unclear, that curl.cainfo is a PHP setting, usually defined in a php.ini somewhere. I thought it's a parameter which has to be set with arc set-config! That arc accepts this (unknown) parameter without complaining did not help to mind my mistake:

mr@judge:~$ arc set-config curl.cainfo ~/cacert.pem 
Set key 'curl.cainfo' = "~/cacert.pem" in user config (was null).
mr@judge:~$ arc install-certificate
Trying to connect to server...
Usage Exception: Failed to connect to server (https://phabricator.marc-richter.info/api/): [cURL/60] (https://phabricator.marc-richter.info/api/conduit.ping) 
<CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are
using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
mr@judge:~$

Fortunately, searching the web for curl.cainfo pointed me to PHP.

This might be clarified by changing line 21 to:

If "curl.cainfo" PHP setting is not set (or you are using PHP older than 5.3.7, where the

Or similar.

Event Timeline

Judge created this task.Jul 21 2015, 1:47 PM
Judge raised the priority of this task from to Needs Triage.
Judge updated the task description. (Show Details)
Judge added projects: libphutil, Documentation.
Judge added a subscriber: Judge.
tycho.tatitscheff added a subscriber: tycho.tatitscheff.Jul 21 2015, 8:10 PM

Let me ask something, since I get a similar issue.
What type of crypto your self-signed cert is using ??

Personally I use to create a self signed certificate with most secure secure crypto :

  • ECDSA (i think was prime-256 cause of compatibility or ed22519 based, I don't remember)
  • sha 256

Then i generate a ECDH parameter.
And blacklist bad symmetric ciphers, it looks like :

ECDHE-ECDSA-AES128-GCM-SHA256

The problem, is that libcurl switch for NSS (a Mozilla lib to build secure app : https://nss-crypto.org/) from openssl (what i can understand when looking at the source code from open ssl and the thriller of YetAnotherCriticalSslBug).
Problem, is that curl won't overwrite nss parameters and nss don't include EC crypto by default.

See more above this know bug : https://bugzilla.redhat.com/show_bug.cgi?id=1185708

If it is the same problem, three solutions :

  • maintain you patched version of libnss (patch is really simple see above)
  • revert to an openssl based nss (hard to do i think since libnss and openssl would have maybe to match and this will reintroduce bugs and so on)
  • create another RSA based cert

Personally I choose 3) since I have no time to maintain 1) on debian.

tycho.tatitscheff added a comment.Jul 21 2015, 8:13 PM

Looking at https://phabricator.marc-richter.info it is an RSA based cert so nevermind.

avivey updated the task description. (Show Details)Nov 11 2015, 6:26 PM
Phabricator · Built by Phacility