From owner-freebsd-questions@FreeBSD.ORG  Thu Jan 10 16:18:55 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 1645BFE7
 for <freebsd-questions@freebsd.org>; Thu, 10 Jan 2013 16:18:55 +0000 (UTC)
 (envelope-from paul@kraus-haus.org)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com
 [209.85.216.50]) by mx1.freebsd.org (Postfix) with ESMTP id D013179D
 for <freebsd-questions@freebsd.org>; Thu, 10 Jan 2013 16:18:54 +0000 (UTC)
Received: by mail-qa0-f50.google.com with SMTP id cr7so701828qab.9
 for <freebsd-questions@freebsd.org>; Thu, 10 Jan 2013 08:18:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=x-received:from:content-type:content-transfer-encoding:date:subject
 :to:message-id:mime-version:x-mailer:x-gm-message-state;
 bh=U6rntlSh9qZ9JZK2YKyods2ZXKQRwzbPVThV7NHxV/0=;
 b=etmCTsmhFvAInaeBC7LW7F0NJ2mKFYbA3DibDqo31l5vE6X9m6iUsgHq+cJ20PREAs
 lGm9JEiz+bIb/cLkGXKmIBLUjFn7UjAF2PSGhqDjqqqPuwoSqrB6WziyTLTIAIkUFTMM
 zhB3rjAZ/N9AmUX1U9UmNaVDudOd+mqheVmlL9Bhf0bke+wT8oVte+QYsQ9O3yrjC+PA
 W00RTKioxbFcq/wbTvtnNTkeJTUL33Kt0wi8rP3ptLrUwfk0hyoltXnTAC3PjpEaSz/q
 WxhuVN5cM9Y2rEQQboC5T6/qSoq3CYLSbUXJLC1XH4XVohDtmQ/YDeuM3xXVmoUY1hSX
 vsGg==
X-Received: by 10.229.69.100 with SMTP id y36mr13520922qci.34.1357834733984;
 Thu, 10 Jan 2013 08:18:53 -0800 (PST)
Received: from mini1.kraus-haus.org ([96.236.21.119])
 by mx.google.com with ESMTPS id j20sm1784489qaq.17.2013.01.10.08.18.52
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 10 Jan 2013 08:18:53 -0800 (PST)
From: Paul Kraus <paul@kraus-haus.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 10 Jan 2013 11:18:51 -0500
Subject: OpenSSL Certificate issue
To: freebsd-questions@freebsd.org
Message-Id: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
X-Gm-Message-State: ALoCoQniDkRFpjZYX+AgapwvEFoJxiBYCx6vK5yLWrJD6vlytdldk+BFpGk7W+cYP+QazNZDmZKg
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2013 16:18:55 -0000

I am having an odd issue with OpenSSL and root certs, specifically =
fetching email via POP from Google. When I test with "openssl s_client" =
and specify the -CAfile I am OK, when I specify the -CApath (and I did =
run a c_rehash) it fails. I am sure this is a very simple error on my =
part, but no amount of searching has led me to the answer. See examples =
below.

=
--------------------------------------------------------------------------=
------
The directory of certs...

[root@MailArch /usr/local/openssl/certs]# ls -la
total 812
drwxr-xr-x  2 root  wheel    1024 Jan 10 10:51 .
drwxr-xr-x  5 root  wheel     512 Sep  5 16:13 ..
lrwxr-xr-x  1 root  wheel      30 Jan 10 10:51 116bf586.0 -> =
GeoTrust_Primary_CA_G2_ECC.pem
lrwxr-xr-x  1 root  wheel      22 Jan 10 10:51 2c543cd1.0 -> =
GeoTrust_Global_CA.pem
lrwxr-xr-x  1 root  wheel      23 Jan 10 10:51 480720ec.0 -> =
GeoTrust_Primary_CA.pem
lrwxr-xr-x  1 root  wheel      40 Jan 10 10:51 578d5c04.0 -> =
Equifax_Secure_Certificate_Authority.pem
lrwxr-xr-x  1 root  wheel      33 Jan 10 10:51 79ad8b43.0 -> =
Equifax_Secure_eBusiness_CA-1.pem
lrwxr-xr-x  1 root  wheel      26 Jan 10 10:51 8867006a.0 -> =
GeoTrust_Universal_CA2.pem
lrwxr-xr-x  1 root  wheel      15 Jan 10 10:51 8d86cdd1.0 -> =
ca-root-nss.pem
-rw-r--r--  1 root  wheel    1160 Jul 11  2012 =
Equifax_Secure_Certificate_Authority.pem
-rw-r--r--  1 root  wheel     962 Jun 27  2012 =
Equifax_Secure_Global_eBusiness_CA-1.pem
-rw-r--r--  1 root  wheel     947 Jun 27  2012 =
Equifax_Secure_eBusiness_CA-1.pem
-rw-r--r--  1 root  wheel    1234 Jun 27  2012 GeoTrust_Global_CA.pem
-rw-r--r--  1 root  wheel    1261 Jun 27  2012 GeoTrust_Global_CA2.pem
-rw-r--r--  1 root  wheel    1290 Jan 19  2011 GeoTrust_Primary_CA.pem
-rw-r--r--  1 root  wheel    1004 Nov 10  2011 =
GeoTrust_Primary_CA_G2_ECC.pem
-rw-r--r--  1 root  wheel    1965 Jun 27  2012 GeoTrust_Universal_CA.pem
-rw-r--r--  1 root  wheel    1968 Jun 27  2012 =
GeoTrust_Universal_CA2.pem
lrwxr-xr-x  1 root  wheel      25 Jan 10 10:51 ad088e1d.0 -> =
GeoTrust_Universal_CA.pem
-r--r--r--  1 root  wheel  741266 Jan 10 10:51 ca-root-nss.pem
lrwxr-xr-x  1 root  wheel      23 Jan 10 10:51 cbeee9e2.0 -> =
GeoTrust_Global_CA2.pem
lrwxr-xr-x  1 root  wheel      40 Jan 10 10:51 ef2f636c.0 -> =
Equifax_Secure_Global_eBusiness_CA-1.pem

=
--------------------------------------------------------------------------=
------
This works...

[root@MailArch /usr/local/openssl/certs]# openssl s_client -connect =
pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem=20
CONNECTED(00000003)
depth=3D2 /C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
verify return:1
depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
verify return:1
depth=3D0 /C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
   i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
   i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x
O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4
W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1
CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT
wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l
zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL
nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D
-----END CERTIFICATE-----
subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1750 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: =
D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576
    Session-ID-ctx:=20
    Master-Key: =
D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F1=
9D794E1DD399BE4350364F
    Key-Arg   : None
    Start Time: 1357834496
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Gpop ready for requests from 208.105.14.76 cz12pf1272748vdb.40
^C

=
--------------------------------------------------------------------------=
------
And this does not work...

[root@MailArch /usr/local/openssl/certs]# openssl s_client -connect =
pop.gmail.com:995 -CApath /usr/local/openssl/certs
CONNECTED(00000003)
depth=3D1 /C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
verify error:num=3D20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
   i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
   i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x
O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4
W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1
CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT
wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l
zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL
nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg=3D=3D
-----END CERTIFICATE-----
subject=3D/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle =
Inc/CN=3Dpop.gmail.com
issuer=3D/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1750 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: =
4797C67363287F3C528509AAB91A0852BF265D6DFAEB144048815047CA3595DB
    Session-ID-ctx:=20
    Master-Key: =
1A0FAD1AA041894DEDB7329984DBC513D3EE7B4B92901F7700D5C15D767C3E9E5761561BBD=
47647605D0852D2A24501E
    Key-Arg   : None
    Start Time: 1357834512
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 208.105.14.76 j10pf1276456vde.5
^C
[root@MailArch /usr/local/openssl/certs]#=20

--
Paul Kraus
Deputy Technical Director, LoneStarCon 3
Sound Coordinator, Schenectady Light Opera Company