Date: Thu, 10 Jan 2013 12:38:05 -0500 From: Greg Larkin <glarkin@FreeBSD.org> To: Paul Kraus <paul@kraus-haus.org> Cc: freebsd-questions@freebsd.org Subject: Re: OpenSSL Certificate issue Message-ID: <50EEFC7D.5070706@FreeBSD.org> In-Reply-To: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org> References: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/10/13 11:18 AM, Paul Kraus wrote: > I am having an odd issue with OpenSSL and root certs, specifically > fetching email via POP from Google. When I test with "openssl > s_client" and specify the -CAfile I am OK, when I specify the > -CApath (and I did run a c_rehash) it fails. I am sure this is a > very simple error on my part, but no amount of searching has led me > to the answer. See examples below. > > -------------------------------------------------------------------------------- > > The directory of certs... > > [root@MailArch /usr/local/openssl/certs]# ls -la total 812 > drwxr-xr-x 2 root wheel 1024 Jan 10 10:51 . drwxr-xr-x 5 root > wheel 512 Sep 5 16:13 .. lrwxr-xr-x 1 root wheel 30 Jan > 10 10:51 116bf586.0 -> GeoTrust_Primary_CA_G2_ECC.pem lrwxr-xr-x 1 > root wheel 22 Jan 10 10:51 2c543cd1.0 -> > GeoTrust_Global_CA.pem lrwxr-xr-x 1 root wheel 23 Jan 10 > 10:51 480720ec.0 -> GeoTrust_Primary_CA.pem lrwxr-xr-x 1 root > wheel 40 Jan 10 10:51 578d5c04.0 -> > Equifax_Secure_Certificate_Authority.pem lrwxr-xr-x 1 root wheel > 33 Jan 10 10:51 79ad8b43.0 -> Equifax_Secure_eBusiness_CA-1.pem > lrwxr-xr-x 1 root wheel 26 Jan 10 10:51 8867006a.0 -> > GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 15 Jan 10 > 10:51 8d86cdd1.0 -> ca-root-nss.pem -rw-r--r-- 1 root wheel > 1160 Jul 11 2012 Equifax_Secure_Certificate_Authority.pem > -rw-r--r-- 1 root wheel 962 Jun 27 2012 > Equifax_Secure_Global_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel > 947 Jun 27 2012 Equifax_Secure_eBusiness_CA-1.pem -rw-r--r-- 1 > root wheel 1234 Jun 27 2012 GeoTrust_Global_CA.pem -rw-r--r-- > 1 root wheel 1261 Jun 27 2012 GeoTrust_Global_CA2.pem > -rw-r--r-- 1 root wheel 1290 Jan 19 2011 > GeoTrust_Primary_CA.pem -rw-r--r-- 1 root wheel 1004 Nov 10 > 2011 GeoTrust_Primary_CA_G2_ECC.pem -rw-r--r-- 1 root wheel > 1965 Jun 27 2012 GeoTrust_Universal_CA.pem -rw-r--r-- 1 root > wheel 1968 Jun 27 2012 GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 > root wheel 25 Jan 10 10:51 ad088e1d.0 -> > GeoTrust_Universal_CA.pem -r--r--r-- 1 root wheel 741266 Jan 10 > 10:51 ca-root-nss.pem lrwxr-xr-x 1 root wheel 23 Jan 10 > 10:51 cbeee9e2.0 -> GeoTrust_Global_CA2.pem lrwxr-xr-x 1 root > wheel 40 Jan 10 10:51 ef2f636c.0 -> > Equifax_Secure_Global_eBusiness_CA-1.pem > > -------------------------------------------------------------------------------- > > This works... > > [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect > pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem > CONNECTED(00000003) depth=2 /C=US/O=Equifax/OU=Equifax Secure > Certificate Authority verify return:1 depth=1 /C=US/O=Google > Inc/CN=Google Internet Authority verify return:1 depth=0 > /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com > verify return:1 --- Certificate chain 0 > s:/C=US/ST=California/L=Mountain View/O=Google > Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet > Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- > Server certificate -----BEGIN CERTIFICATE----- > MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD > VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu > dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda > MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N > b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au > Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x > O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 > W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 > CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI > KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT > wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg > TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y > aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw > VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu > ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB > /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB > gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l > zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL > nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -----END > CERTIFICATE----- subject=/C=US/ST=California/L=Mountain > View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google > Inc/CN=Google Internet Authority --- No client certificate CA names > sent --- SSL handshake has read 1750 bytes and written 325 bytes > --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 > bit Secure Renegotiation IS supported Compression: NONE Expansion: > NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: > D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576 > Session-ID-ctx: Master-Key: > D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F19D794E1DD399BE4350364F > > Key-Arg : None > Start Time: 1357834496 Timeout : 300 (sec) Verify return code: 0 > (ok) --- +OK Gpop ready for requests from 208.105.14.76 > cz12pf1272748vdb.40 ^C > > -------------------------------------------------------------------------------- > > And this does not work... > > [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect > pop.gmail.com:995 -CApath /usr/local/openssl/certs > CONNECTED(00000003) depth=1 /C=US/O=Google Inc/CN=Google Internet > Authority verify error:num=20:unable to get local issuer > certificate verify return:0 --- Certificate chain 0 > s:/C=US/ST=California/L=Mountain View/O=Google > Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet > Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- > Server certificate -----BEGIN CERTIFICATE----- > MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD > VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu > dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda > MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N > b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au > Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x > O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 > W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 > CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI > KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT > wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg > TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y > aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw > VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu > ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB > /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB > gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l > zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL > nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -----END > CERTIFICATE----- subject=/C=US/ST=California/L=Mountain > View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google > Inc/CN=Google Internet Authority --- No client certificate CA names > sent --- SSL handshake has read 1750 bytes and written 325 bytes > --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 > bit Secure Renegotiation IS supported Compression: NONE Expansion: > NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: > 4797C67363287F3C528509AAB91A0852BF265D6DFAEB144048815047CA3595DB > Session-ID-ctx: Master-Key: > 1A0FAD1AA041894DEDB7329984DBC513D3EE7B4B92901F7700D5C15D767C3E9E5761561BBD47647605D0852D2A24501E > > Key-Arg : None > Start Time: 1357834512 Timeout : 300 (sec) Verify return code: 20 > (unable to get local issuer certificate) --- +OK Gpop ready for > requests from 208.105.14.76 j10pf1276456vde.5 ^C [root@MailArch > /usr/local/openssl/certs]# > > -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound > Coordinator, Schenectady Light Opera Company > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Hi Paul, It looks like you don't have the Gmail certificate installed locally, unless I'm mistaken. Check the instructions here, and let us know if that fixes the problem for you: http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ Best regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDu/HwACgkQ0sRouByUApBpigCgnurO0xbOVJSXXXqujqo71N+O oSgAoKovwTXE05J6TYwo9dJO2YUkXOw6 =Bf8n -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50EEFC7D.5070706>