Lots of "unable to get local issuer certificate" warnings when pinging "https://" ressources.

[TurtleWilly]

I'm getting a lot of "unable to get local issuer certificate" warnings when pinging https resources:

$ ./httping https://someserver.foo.bar/
Auto enabling SSL due to https-URL
PING someserver.foo.bar:443 (/):
connected to 1.2.3.4:443 (194 bytes), seq=0 time=121,21 ms 
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=1 time=120,12 ms 
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=2 time=121,04 ms 
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=3 time=110,75 ms 
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=4 time=119,35 ms 
SSL certificate validation failed: unable to get local issuer certificate
connected to 1.2.3.4:443 (194 bytes), seq=5 time=120,77 ms
…

I did a trace and noted that httping opens openssl libraries fine but never loads any cert file (like curl or wget do which are linked against the very same set of openssl libraries) from the trust stores.

$ sudo opensnoop -ve -n httping
STRTIME                UID    PID COMM          FD ERR PATH                 
2024 Mar 31 17:29:07   501   5076 httping        3   0 .                    
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/local/silo/openssl/latest@3/lib/libssl.3.dylib 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/local/silo/openssl/latest@3/lib/libcrypto.3.dylib 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/local/silo/fftw/latest/lib/libfftw3.3.dylib 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/local/silo/gettext/latest/lib/libintl.8.dylib 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/local/silo/libiconv/latest/lib/libiconv.2.dylib 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /dev/dtracehelper    
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/UTF-8/LC_COLLATE 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /usr/share/locale/UTF-8/LC_CTYPE 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /Volumes/Temporary/HTTPing-2.9 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /Volumes/Temporary/HTTPing-2.9 
2024 Mar 31 17:29:07   501   5076 httping        3   0 /Volumes/Temporary/HTTPing-2.9/./httping 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /etc/.mdns_debug     
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en_DE/LC_NUMERIC 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /usr/share/locale/de_DE/LC_NUMERIC 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en_DE/LC_TIME 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /usr/share/locale/de_DE/LC_TIME 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en_DE/LC_COLLATE 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /usr/share/locale/de_DE/LC_COLLATE 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en_DE/LC_MONETARY 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /usr/share/locale/de_DE/LC_MONETARY 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en_DE/LC_MESSAGES/LC_MESSAGES 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/share/locale/en/LC_MESSAGES/LC_MESSAGES 
2024 Mar 31 17:29:07   501   5076 httping       -1   2 /usr/local/silo/httping/2.9/share/locale/en/LC_MESSAGES/httping.mo 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /usr/local/etc/openssl/openssl.cnf 
2024 Mar 31 17:29:07   501   5076 httping        4   0 /dev/urandom         
2024 Mar 31 17:29:07   501   5076 httping        5   0 /etc/localtime       
2024 Mar 31 17:29:07   501   5076 httping        7   0 /usr/share/zoneinfo/UTC

It seems code in mssl.c in initialize_ctx() prevents the standard trust store to be loaded, because it forces some unsuitable hard-coded "ca_path":

	if (ca_path == NULL)
#if defined(__NetBSD__)
		ca_path = "/etc/openssl/certs";
#else
		ca_path = "/etc/ssl/certs";
#endif

Neither do I run NetBSD, nor do I have "/etc/ssl/certs". I do have "/usr/local/etc/openssl/cert.pem" and "/usr/local/etc/openssl/certs" here though.

I do not know much about OpenSSL and its API, but I adjusted the code like this:

#if 0
	if (ca_path == NULL)
#if defined(__NetBSD__)
		ca_path = "/etc/openssl/certs";
#else
		ca_path = "/etc/ssl/certs";
#endif
#else
	if (ca_path == NULL)
		SSL_CTX_set_default_verify_paths(ctx);
#endif

and now it seemingly works for me (no more errors). I do not know if the above code is correct in any way, but as hotfix it does the trick.

On related note the regular dumping of the warnings entirely broke the ncurses UI output. It seems the extra newline or something makes things go wild:

---

HTTPing Version: 2.9 (release tarball)
OpenSSL Version: 3.1.1
OS: OS X 10.10.5 (Yosemite)

[folkertvanheusden]

Hi, Thanks for the mail. Just to be clear: this happens on OS X? Because I can add some #ifdefs here and there then to resolve that issue. regards

…

On Sun, Mar 31, 2024 at 6:16 PM Wilhelm Loves Their Turtles < ***@***.***> wrote: I'm getting a lot of "unable to get local issuer certificate" warnings when pinging https resources: $ ./httping https://someserver.foo.bar/ Auto enabling SSL due to https-URL PING someserver.foo.bar:443 (/): connected to 1.2.3.4:443 (194 bytes), seq=0 time=121,21 ms SSL certificate validation failed: unable to get local issuer certificate connected to 1.2.3.4:443 (194 bytes), seq=1 time=120,12 ms SSL certificate validation failed: unable to get local issuer certificate connected to 1.2.3.4:443 (194 bytes), seq=2 time=121,04 ms SSL certificate validation failed: unable to get local issuer certificate connected to 1.2.3.4:443 (194 bytes), seq=3 time=110,75 ms SSL certificate validation failed: unable to get local issuer certificate connected to 1.2.3.4:443 (194 bytes), seq=4 time=119,35 ms SSL certificate validation failed: unable to get local issuer certificate connected to 1.2.3.4:443 (194 bytes), seq=5 time=120,77 ms … I did a trace and noted that httping opens openssl libraries fine but never loads any cert file (like curl or wget do which are linked against the very same set of openssl libraries) from the trust stores. $ sudo opensnoop -ve -n httping STRTIME UID PID COMM FD ERR PATH 2024 Mar 31 17:29:07 501 5076 httping 3 0 . 2024 Mar 31 17:29:07 501 5076 httping 3 0 ***@***.***/lib/libssl.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 ***@***.***/lib/libcrypto.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/fftw/latest/lib/libfftw3.3.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/gettext/latest/lib/libintl.8.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/local/silo/libiconv/latest/lib/libiconv.2.dylib 2024 Mar 31 17:29:07 501 5076 httping 3 0 /dev/dtracehelper 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/UTF-8/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping 3 0 /usr/share/locale/UTF-8/LC_CTYPE 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9 2024 Mar 31 17:29:07 501 5076 httping 3 0 /Volumes/Temporary/HTTPing-2.9/./httping 2024 Mar 31 17:29:07 501 5076 httping -1 2 /etc/.mdns_debug 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_NUMERIC 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_NUMERIC 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_TIME 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_TIME 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_COLLATE 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MONETARY 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/share/locale/de_DE/LC_MONETARY 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en_DE/LC_MESSAGES/LC_MESSAGES 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/share/locale/en/LC_MESSAGES/LC_MESSAGES 2024 Mar 31 17:29:07 501 5076 httping -1 2 /usr/local/silo/httping/2.9/share/locale/en/LC_MESSAGES/httping.mo 2024 Mar 31 17:29:07 501 5076 httping 4 0 /usr/local/etc/openssl/openssl.cnf 2024 Mar 31 17:29:07 501 5076 httping 4 0 /dev/urandom 2024 Mar 31 17:29:07 501 5076 httping 5 0 /etc/localtime 2024 Mar 31 17:29:07 501 5076 httping 7 0 /usr/share/zoneinfo/UTC It seems code in mssl.c in initialize_ctx() prevents the standard trust store to be loaded, because it forces some unsuitable hard-coded "ca_path": if (ca_path == NULL)#if defined(__NetBSD__) ca_path = "/etc/openssl/certs";#else ca_path = "/etc/ssl/certs";#endif Neither do I run NetBSD, nor do I have "/etc/ssl/certs". I do have "/usr/local/etc/openssl/cert.pem" and "/usr/local/etc/openssl/certs" here though. I do not know much about OpenSSL and its API, but I adjusted the code like this: #if 0 if (ca_path == NULL)#if defined(__NetBSD__) ca_path = "/etc/openssl/certs";#else ca_path = "/etc/ssl/certs";#endif#else if (ca_path == NULL) SSL_CTX_set_default_verify_paths(ctx);#endif and now it seemingly works for me (no more errors). I do not know if the above code is correct in any way, but as hotfix it does the trick. On related note the regular dumping of the warnings entirely broke the ncurses UI output. It seems the extra newline or something makes things go wild: [image: Screenshot] <https://raw.githubusercontent.com/TurtleWilly/issues/master/httping.png> ------------------------------ HTTPing Version: 2.9 (release tarball) OpenSSL Version: 3.1.1 OS: OS X 10.10.5 (Yosemite) — Reply to this email directly, view it on GitHub <#16>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUN5IW5LEXJ23ZUEO5A3INDY3AZEZAVCNFSM6AAAAABFQRACT2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTOMBWGY3DGOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[TurtleWilly]

Yes, this is on an older OS X.

Not sure adding more #ifdefs is a good thing? My path/ example may not agree with other Mac OS X/ OS X/ macOS users. For example they may run OpenSSL via MacPorts or Homebrew installations where paths may be different again.

Hence my idea was to query OpenSSL for the path and let it decide what is right (e.g. also allow SSL_CERT_DIR/ SSL_CERT_FILE environment variables for overriding by the user) rather than hardcode anything. I just don't know if that SSL_CTX_set_default_verify_paths() is the proper way to do things (I just trial-and-errored this basically and it worked by luck afterwards. 😎)

[simonmichael]

I see the same on latest macos sequoia, using homebrew's httping 2.9.

Thanks for httping, it's very useful!

[simonmichael]

PS, 2.9 is packaged in brew; might there be a changelog for 2024's 3.6 release ?