invalid peer certificate - OpenSSLProvider.cc

[naveed5]

I am trying to make an https request to a private server using tls1.3 , when validateCert is false it works fine but with validateCert true it doesn't work but I don't see any issue with ssl verification when using CURL.

ReqResult returns Network Failure while trantor logs are as below

20230803 14:03:56.827129 UTC 25734 TRACE [HttpClientImpl] userSSL=1 domain=myserver.io.io - HttpClientImpl.cc:256
20230803 14:03:56.828359 UTC 25690 TRACE [ares_sock_createcallback_] sockfd=73 type=UDP - AresResolver.cc:258
20230803 14:03:56.828402 UTC 25690 TRACE [ares_sock_statecallback_] sockfd=73 read=1 write=0 - AresResolver.cc:272
20230803 14:03:56.833109 UTC 25690 TRACE [onQueryResult] onQueryResult 0 - AresResolver.cc:173
20230803 14:03:56.833157 UTC 25690 TRACE [operator()] dns:domain=myserver.io;ip=x4.1x5.1xx.x0x - HttpClientImpl.cc:467
20230803 14:03:56.833170 UTC 25690 TRACE [createTcpClient] New TcpClient,x4.1x5.1xx.x0x:443 - HttpClientImpl.cc:36
20230803 14:03:56.833212 UTC 25690 TRACE [TcpClient] TcpClient::TcpClient[httpClient] - connector - TcpClient.cc:84
20230803 14:03:56.833225 UTC 25690 TRACE [createTcpClient] useOldTLS=0 - HttpClientImpl.cc:42
20230803 14:03:56.833229 UTC 25690 TRACE [createTcpClient] domain=myserver.io - HttpClientImpl.cc:43
20230803 14:03:56.839735 UTC 25690 TRACE [connect] TcpClient::connect[httpClient] - connecting to x4.1x5.1xx.x0x:443 - TcpClient.cc:111
20230803 14:03:56.839804 UTC 25690 TRACE [createNonblockingSocketOrDie] sock=74 - Socket.h:46
20230803 14:03:56.839897 UTC 25690 TRACE [connect] connecting - Connector.cc:93
20230803 14:03:56.839978 UTC 25690 TRACE [connecting] connecting:74 - Connector.cc:153
20230803 14:03:57.095485 UTC 25690 TRACE [newConnection] SSL enabled: true - TcpClient.cc:154
20230803 14:03:57.095560 UTC 25690 TRACE [TcpConnectionImpl] new connection:x4.1x5.1xx.x0x:443->10.0.2.15:45224 - TcpConnectionImpl.cc:59
20230803 14:03:57.096169 UTC 25690 TRACE [operator()] connectEstablished - TcpConnectionImpl.cc:334
20230803 14:03:57.096312 UTC 25690 TRACE [processHandshake] SSL handshake wants to read - OpenSSLProvider.cc:690
20230803 14:03:57.351084 UTC 25690 TRACE [recvData] Received 2824 bytes from lower layer - OpenSSLProvider.cc:532
20230803 14:03:57.351225 UTC 25690 TRACE [processHandshake] SSL handshake wants to read - OpenSSLProvider.cc:690
20230803 14:03:57.351787 UTC 25690 TRACE [recvData] Received 1272 bytes from lower layer - OpenSSLProvider.cc:532
20230803 14:03:57.351815 UTC 25690 TRACE [processHandshake] SSL handshake wants to read - OpenSSLProvider.cc:690
20230803 14:03:57.359213 UTC 25690 TRACE [recvData] Received 880 bytes from lower layer - OpenSSLProvider.cc:532
20230803 14:03:57.360208 UTC 25690 TRACE [processHandshake] SSL handshake wants to read - OpenSSLProvider.cc:690
20230803 14:03:57.619603 UTC 25690 TRACE [recvData] Received 51 bytes from lower layer - OpenSSLProvider.cc:532
20230803 14:03:57.619727 UTC 25690 TRACE [processHandshake] SSL handshake finished - OpenSSLProvider.cc:600
20230803 14:03:57.619808 UTC 25690 TRACE [validatePeerCertificate] Validating peer cerificate - OpenSSLProvider.cc:132
20230803 14:03:57.619816 UTC 25690 TRACE [validatePeerCertificate] cert error code: 10, date validation failed - OpenSSLProvider.cc:147
20230803 14:03:57.619820 UTC 25690 TRACE [processHandshake] SSL handshake error: invalid peer certificate - OpenSSLProvider.cc:662
20230803 14:03:57.619993 UTC 25690 TRACE [handleClose] connection closed, fd=74 - TcpConnectionImpl.cc:348

CURL:

curl --location 'https://myserver.io/disconnect' --header 'Content-Type: application/json' --data '{"id":400031,"reason_code":1005,"reason":"Debug"}' --tlsv1.3 -vvv

• Trying x4.1x5.1xx.x0x:443...
• Connected to myserver.io (x4.1x5.1xx.x0x) port 443 (#0)
• ALPN, offering http/1.1
• CAfile: /etc/ssl/certs/ca-bundle.crt
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=myserver.io
• start date: Jun 22 19:53:39 2023 GMT
• expire date: Sep 20 19:53:38 2023 GMT
• subjectAltName: host "myserver.io" matched cert's "myserver.io"
• issuer: C=US; O=Let's Encrypt; CN=R3
• SSL certificate verify ok.

POST /disconnect HTTP/1.1
Host: myserver.io
User-Agent: curl/7.81.0
Accept: /
Content-Type: application/json
Content-Length: 99

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Mark bundle as not supporting multiuse
  < HTTP/1.1 200
  < Server: nginx/1.19.10
  < Date: Thu, 03 Aug 2023 14:03:31 GMT
  < Transfer-Encoding: chunked
  < Connection: keep-alive
  < Access-Control-Allow-Methods: POST
  < Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
  <
• Connection #0 to host myserver.io left intact
  {"reason":"Debug","reason_code":1005,"id":400031}

Drogon Version : 1.8.4
OpenSSL Version : 1.1.1k
Curl Version: 7.81.0
SSL Certificate is Self Signed

myserver.io is dummy server address and IP is hidden.

[aligokalppeker]

No answer to this Question yet? I think this should be opened as a bug directly.

[an-tao]

Sorry for the late reply and thank you for your feedback. You can try updating drogon to the latest version to see if this resolves the issue.