From owner-freebsd-questions@FreeBSD.ORG Thu Jan 10 16:18:55 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1645BFE7 for ; Thu, 10 Jan 2013 16:18:55 +0000 (UTC) (envelope-from paul@kraus-haus.org) Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) by mx1.freebsd.org (Postfix) with ESMTP id D013179D for ; Thu, 10 Jan 2013 16:18:54 +0000 (UTC) Received: by mail-qa0-f50.google.com with SMTP id cr7so701828qab.9 for ; Thu, 10 Jan 2013 08:18:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:content-type:content-transfer-encoding:date:subject :to:message-id:mime-version:x-mailer:x-gm-message-state; bh=U6rntlSh9qZ9JZK2YKyods2ZXKQRwzbPVThV7NHxV/0=; b=etmCTsmhFvAInaeBC7LW7F0NJ2mKFYbA3DibDqo31l5vE6X9m6iUsgHq+cJ20PREAs lGm9JEiz+bIb/cLkGXKmIBLUjFn7UjAF2PSGhqDjqqqPuwoSqrB6WziyTLTIAIkUFTMM zhB3rjAZ/N9AmUX1U9UmNaVDudOd+mqheVmlL9Bhf0bke+wT8oVte+QYsQ9O3yrjC+PA W00RTKioxbFcq/wbTvtnNTkeJTUL33Kt0wi8rP3ptLrUwfk0hyoltXnTAC3PjpEaSz/q WxhuVN5cM9Y2rEQQboC5T6/qSoq3CYLSbUXJLC1XH4XVohDtmQ/YDeuM3xXVmoUY1hSX vsGg== X-Received: by 10.229.69.100 with SMTP id y36mr13520922qci.34.1357834733984; Thu, 10 Jan 2013 08:18:53 -0800 (PST) Received: from mini1.kraus-haus.org ([96.236.21.119]) by mx.google.com with ESMTPS id j20sm1784489qaq.17.2013.01.10.08.18.52 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 10 Jan 2013 08:18:53 -0800 (PST) From: Paul Kraus Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Jan 2013 11:18:51 -0500 Subject: OpenSSL Certificate issue To: freebsd-questions@freebsd.org Message-Id: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org> Mime-Version: 1.0 (Apple Message framework v1085) X-Mailer: Apple Mail (2.1085) X-Gm-Message-State: ALoCoQniDkRFpjZYX+AgapwvEFoJxiBYCx6vK5yLWrJD6vlytdldk+BFpGk7W+cYP+QazNZDmZKg X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 16:18:55 -0000 I am having an odd issue with OpenSSL and root certs, specifically = fetching email via POP from Google. When I test with "openssl s_client" = and specify the -CAfile I am OK, when I specify the -CApath (and I did = run a c_rehash) it fails. I am sure this is a very simple error on my = part, but no amount of searching has led me to the answer. See examples = below. = --------------------------------------------------------------------------= ------ The directory of certs... [root@MailArch /usr/local/openssl/certs]# ls -la total 812 drwxr-xr-x 2 root wheel 1024 Jan 10 10:51 . drwxr-xr-x 5 root wheel 512 Sep 5 16:13 .. lrwxr-xr-x 1 root wheel 30 Jan 10 10:51 116bf586.0 -> = GeoTrust_Primary_CA_G2_ECC.pem lrwxr-xr-x 1 root wheel 22 Jan 10 10:51 2c543cd1.0 -> = GeoTrust_Global_CA.pem lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 480720ec.0 -> = GeoTrust_Primary_CA.pem lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 578d5c04.0 -> = Equifax_Secure_Certificate_Authority.pem lrwxr-xr-x 1 root wheel 33 Jan 10 10:51 79ad8b43.0 -> = Equifax_Secure_eBusiness_CA-1.pem lrwxr-xr-x 1 root wheel 26 Jan 10 10:51 8867006a.0 -> = GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 15 Jan 10 10:51 8d86cdd1.0 -> = ca-root-nss.pem -rw-r--r-- 1 root wheel 1160 Jul 11 2012 = Equifax_Secure_Certificate_Authority.pem -rw-r--r-- 1 root wheel 962 Jun 27 2012 = Equifax_Secure_Global_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel 947 Jun 27 2012 = Equifax_Secure_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel 1234 Jun 27 2012 GeoTrust_Global_CA.pem -rw-r--r-- 1 root wheel 1261 Jun 27 2012 GeoTrust_Global_CA2.pem -rw-r--r-- 1 root wheel 1290 Jan 19 2011 GeoTrust_Primary_CA.pem -rw-r--r-- 1 root wheel 1004 Nov 10 2011 = GeoTrust_Primary_CA_G2_ECC.pem -rw-r--r-- 1 root wheel 1965 Jun 27 2012 GeoTrust_Universal_CA.pem -rw-r--r-- 1 root wheel 1968 Jun 27 2012 = GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 25 Jan 10 10:51 ad088e1d.0 -> = GeoTrust_Universal_CA.pem -r--r--r-- 1 root wheel 741266 Jan 10 10:51 ca-root-nss.pem lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 cbeee9e2.0 -> = GeoTrust_Global_CA2.pem lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 ef2f636c.0 -> = Equifax_Secure_Global_eBusiness_CA-1.pem = --------------------------------------------------------------------------= ------ This works... [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect = pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem=20 CONNECTED(00000003) depth=3D2 /C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority verify return:1 depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority verify return:1 depth=3D0 /C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle = Inc/CN=3Dpop.gmail.com verify return:1 --- Certificate chain 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle = Inc/CN=3Dpop.gmail.com i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D -----END CERTIFICATE----- subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle = Inc/CN=3Dpop.gmail.com issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority --- No client certificate CA names sent --- SSL handshake has read 1750 bytes and written 325 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: = D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576 Session-ID-ctx:=20 Master-Key: = D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F1= 9D794E1DD399BE4350364F Key-Arg : None Start Time: 1357834496 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK Gpop ready for requests from 208.105.14.76 cz12pf1272748vdb.40 ^C = --------------------------------------------------------------------------= ------ And this does not work... [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect = pop.gmail.com:995 -CApath /usr/local/openssl/certs CONNECTED(00000003) depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority verify error:num=3D20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle = Inc/CN=3Dpop.gmail.com i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D -----END CERTIFICATE----- subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle = Inc/CN=3Dpop.gmail.com issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority --- No client certificate CA names sent --- SSL handshake has read 1750 bytes and written 325 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: = 4797C67363287F3C528509AAB91A0852BF265D6DFAEB144048815047CA3595DB Session-ID-ctx:=20 Master-Key: = 1A0FAD1AA041894DEDB7329984DBC513D3EE7B4B92901F7700D5C15D767C3E9E5761561BBD= 47647605D0852D2A24501E Key-Arg : None Start Time: 1357834512 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- +OK Gpop ready for requests from 208.105.14.76 j10pf1276456vde.5 ^C [root@MailArch /usr/local/openssl/certs]#=20 -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound Coordinator, Schenectady Light Opera Company