Date: Thu, 10 Jan 2013 11:18:51 -0500 From: Paul Kraus <paul@kraus-haus.org> To: freebsd-questions@freebsd.org Subject: OpenSSL Certificate issue Message-ID: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org>
next in thread | raw e-mail | index | archive | help
I am having an odd issue with OpenSSL and root certs, specifically =
fetching email via POP from Google. When I test with "openssl s_client" =
and specify the -CAfile I am OK, when I specify the -CApath (and I did =
run a c_rehash) it fails. I am sure this is a very simple error on my =
part, but no amount of searching has led me to the answer. See examples =
below.
=
--------------------------------------------------------------------------=
------
The directory of certs...
[root@MailArch /usr/local/openssl/certs]# ls -la
total 812
drwxr-xr-x 2 root wheel 1024 Jan 10 10:51 .
drwxr-xr-x 5 root wheel 512 Sep 5 16:13 ..
lrwxr-xr-x 1 root wheel 30 Jan 10 10:51 116bf586.0 -> =
GeoTrust_Primary_CA_G2_ECC.pem
lrwxr-xr-x 1 root wheel 22 Jan 10 10:51 2c543cd1.0 -> =
GeoTrust_Global_CA.pem
lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 480720ec.0 -> =
GeoTrust_Primary_CA.pem
lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 578d5c04.0 -> =
Equifax_Secure_Certificate_Authority.pem
lrwxr-xr-x 1 root wheel 33 Jan 10 10:51 79ad8b43.0 -> =
Equifax_Secure_eBusiness_CA-1.pem
lrwxr-xr-x 1 root wheel 26 Jan 10 10:51 8867006a.0 -> =
GeoTrust_Universal_CA2.pem
lrwxr-xr-x 1 root wheel 15 Jan 10 10:51 8d86cdd1.0 -> =
ca-root-nss.pem
-rw-r--r-- 1 root wheel 1160 Jul 11 2012 =
Equifax_Secure_Certificate_Authority.pem
-rw-r--r-- 1 root wheel 962 Jun 27 2012 =
Equifax_Secure_Global_eBusiness_CA-1.pem
-rw-r--r-- 1 root wheel 947 Jun 27 2012 =
Equifax_Secure_eBusiness_CA-1.pem
-rw-r--r-- 1 root wheel 1234 Jun 27 2012 GeoTrust_Global_CA.pem
-rw-r--r-- 1 root wheel 1261 Jun 27 2012 GeoTrust_Global_CA2.pem
-rw-r--r-- 1 root wheel 1290 Jan 19 2011 GeoTrust_Primary_CA.pem
-rw-r--r-- 1 root wheel 1004 Nov 10 2011 =
GeoTrust_Primary_CA_G2_ECC.pem
-rw-r--r-- 1 root wheel 1965 Jun 27 2012 GeoTrust_Universal_CA.pem
-rw-r--r-- 1 root wheel 1968 Jun 27 2012 =
GeoTrust_Universal_CA2.pem
lrwxr-xr-x 1 root wheel 25 Jan 10 10:51 ad088e1d.0 -> =
GeoTrust_Universal_CA.pem
-r--r--r-- 1 root wheel 741266 Jan 10 10:51 ca-root-nss.pem
lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 cbeee9e2.0 -> =
GeoTrust_Global_CA2.pem
lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 ef2f636c.0 -> =
Equifax_Secure_Global_eBusiness_CA-1.pem
=
--------------------------------------------------------------------------=
------
This works...
[root@MailArch /usr/local/openssl/certs]# openssl s_client -connect =
pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem=20
CONNECTED(00000003)
depth=3D2 /C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
verify return:1
depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
verify return:1
depth=3D0 /C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
verify return:1
---
Certificate chain
0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x
O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4
W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1
CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT
wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l
zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL
nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D
-----END CERTIFICATE-----
subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1750 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: =
D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576
Session-ID-ctx:=20
Master-Key: =
D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F1=
9D794E1DD399BE4350364F
Key-Arg : None
Start Time: 1357834496
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
+OK Gpop ready for requests from 208.105.14.76 cz12pf1272748vdb.40
^C
=
--------------------------------------------------------------------------=
------
And this does not work...
[root@MailArch /usr/local/openssl/certs]# openssl s_client -connect =
pop.gmail.com:995 -CApath /usr/local/openssl/certs
CONNECTED(00000003)
depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
verify error:num=3D20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x
O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4
W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1
CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT
wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l
zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL
nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D
-----END CERTIFICATE-----
subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1750 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: =
4797C67363287F3C528509AAB91A0852BF265D6DFAEB144048815047CA3595DB
Session-ID-ctx:=20
Master-Key: =
1A0FAD1AA041894DEDB7329984DBC513D3EE7B4B92901F7700D5C15D767C3E9E5761561BBD=
47647605D0852D2A24501E
Key-Arg : None
Start Time: 1357834512
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 208.105.14.76 j10pf1276456vde.5
^C
[root@MailArch /usr/local/openssl/certs]#=20
--
Paul Kraus
Deputy Technical Director, LoneStarCon 3
Sound Coordinator, Schenectady Light Opera Company
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915>