From owner-freebsd-security@FreeBSD.ORG Wed Apr 8 00:12:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 745D6ED5 for ; Wed, 8 Apr 2015 00:12:55 +0000 (UTC) Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3DA2F28D for ; Wed, 8 Apr 2015 00:12:54 +0000 (UTC) Received: by iedfl3 with SMTP id fl3so69319478ied.1 for ; Tue, 07 Apr 2015 17:12:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=PcFZ/O5bI06M0lv81GTGbyjSuPVF9P6L+sYQgRpNz4M=; b=Ueh5mUq9gYeCP41bxM9WSJve8GcCvC/Dk6O/Mexqh2hbHkwXTZaKJn5huWfdusJ/LB dKWrQ8y0tvWPmvB7uerVN96lWxPNxxRBC1KMQsssUTw3PPhd7/ayIUCOH76z9KtMNDSh fZmFPXzX2+7Ulrdqw9StfrmvQNif4xXu+zZ6CnI6ypV7knqCsX2f8wNrCGjbF4UI6Gxo 0SRaado1bkjV3qVF3jsCxC1JYwTrFtkwH0iZqeZnNnqDZjqh3X5nU9dL3mjkHL421LgB WiSklpWKnpD16gvedf5dzNg27NbRrT6s4qDmujqM5Q1/Qwm3mBKONnRyj5+VLzS/cbfu MxtQ== X-Gm-Message-State: ALoCoQlxu3kk8PfspI0VsshpfmVwzpBiLSlNUOd0sYXJFCuyibNKUF8FhEZSfrlg0rDo9j42ZgOz MIME-Version: 1.0 X-Received: by 10.50.107.36 with SMTP id gz4mr7936611igb.25.1428451968029; Tue, 07 Apr 2015 17:12:48 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 17:12:47 -0700 (PDT) In-Reply-To: <55245C8B.3020303@obluda.cz> References: <5524525D.50500@obluda.cz> <55245C8B.3020303@obluda.cz> Date: Tue, 7 Apr 2015 20:12:47 -0400 Message-ID: Subject: Re: openssl certificates From: el kalin To: Dan Lukes , freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Apr 2015 00:12:55 -0000 On Tue, Apr 7, 2015 at 6:39 PM, Dan Lukes wrote: > el kalin wrote: > >>> also how to add a CA cert to ca_root_nss file? > > > ok. it's in pem. but for each cert my ca-root-nss.crt has a bunch of > other > > sections - like date, signature algorithm,etc - wheres the > company-root-ca.crt > > has only whats in-between the begin and end lines. does that matter? > > The certificate is located between BEGIN and END marker only. The rest > is comment. In most cases the text dump of certificate is used as > comment, but it's up to you. thanks dan=E2=80=A6 i have added the certs to the ca-root-nss.crt. it stil= l doesn't help much in my case. the problem really is that i can not get any https requests from a freebsd 10 box using a third party signed certificate with my private key and their ca certs to work. mostly testing with wget on the command line (it's a remote machine) like: wget --verbose --no-cookies --certificate=3Dlocal.pem --ca-certificate=3D/usr/local/share/ca-root-nss.crt " https://domain.org/soapservice.asmx?WSDL" this is for a soap call. and the local.pem is a conversion from a pkcs12 file. every time i do that i get: HTTP request sent, awaiting response... 405 Method Not Allowed does that mean that the web server actually verified the certificate and the problem is coming from the soap server application? i am able to make a successful requests to retrieve the wsdl using firefox after importing the signed certificate=E2=80=A6 also when i test the certificates agains the server with: openssl s_client -cert local.pem -connect domain.org:443 -CAfile /usr/local/share/ca-root-nss.crt -debug i get to: Timeout : 300 (sec) Verify return code: 0 (ok) --- and then it just hangs, nothing happens - there is no a prompt back=E2=80= =A6 any help at this point will be appreciated=E2=80=A6. thanks...