Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Jan 2013 12:38:05 -0500
From:      Greg Larkin <glarkin@FreeBSD.org>
To:        Paul Kraus <paul@kraus-haus.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: OpenSSL Certificate issue
Message-ID:  <50EEFC7D.5070706@FreeBSD.org>
In-Reply-To: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org>
References:  <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/10/13 11:18 AM, Paul Kraus wrote:
> I am having an odd issue with OpenSSL and root certs, specifically
> fetching email via POP from Google. When I test with "openssl
> s_client" and specify the -CAfile I am OK, when I specify the
> -CApath (and I did run a c_rehash) it fails. I am sure this is a
> very simple error on my part, but no amount of searching has led me
> to the answer. See examples below.
> 
> --------------------------------------------------------------------------------
>
> 
The directory of certs...
> 
> [root@MailArch /usr/local/openssl/certs]# ls -la total 812 
> drwxr-xr-x  2 root  wheel    1024 Jan 10 10:51 . drwxr-xr-x  5 root
> wheel     512 Sep  5 16:13 .. lrwxr-xr-x  1 root  wheel      30 Jan
> 10 10:51 116bf586.0 -> GeoTrust_Primary_CA_G2_ECC.pem lrwxr-xr-x  1
> root  wheel      22 Jan 10 10:51 2c543cd1.0 ->
> GeoTrust_Global_CA.pem lrwxr-xr-x  1 root  wheel      23 Jan 10
> 10:51 480720ec.0 -> GeoTrust_Primary_CA.pem lrwxr-xr-x  1 root
> wheel      40 Jan 10 10:51 578d5c04.0 ->
> Equifax_Secure_Certificate_Authority.pem lrwxr-xr-x  1 root  wheel
> 33 Jan 10 10:51 79ad8b43.0 -> Equifax_Secure_eBusiness_CA-1.pem 
> lrwxr-xr-x  1 root  wheel      26 Jan 10 10:51 8867006a.0 ->
> GeoTrust_Universal_CA2.pem lrwxr-xr-x  1 root  wheel      15 Jan 10
> 10:51 8d86cdd1.0 -> ca-root-nss.pem -rw-r--r--  1 root  wheel
> 1160 Jul 11  2012 Equifax_Secure_Certificate_Authority.pem 
> -rw-r--r--  1 root  wheel     962 Jun 27  2012
> Equifax_Secure_Global_eBusiness_CA-1.pem -rw-r--r--  1 root  wheel
> 947 Jun 27  2012 Equifax_Secure_eBusiness_CA-1.pem -rw-r--r--  1
> root  wheel    1234 Jun 27  2012 GeoTrust_Global_CA.pem -rw-r--r--
> 1 root  wheel    1261 Jun 27  2012 GeoTrust_Global_CA2.pem 
> -rw-r--r--  1 root  wheel    1290 Jan 19  2011
> GeoTrust_Primary_CA.pem -rw-r--r--  1 root  wheel    1004 Nov 10
> 2011 GeoTrust_Primary_CA_G2_ECC.pem -rw-r--r--  1 root  wheel
> 1965 Jun 27  2012 GeoTrust_Universal_CA.pem -rw-r--r--  1 root
> wheel    1968 Jun 27  2012 GeoTrust_Universal_CA2.pem lrwxr-xr-x  1
> root  wheel      25 Jan 10 10:51 ad088e1d.0 ->
> GeoTrust_Universal_CA.pem -r--r--r--  1 root  wheel  741266 Jan 10
> 10:51 ca-root-nss.pem lrwxr-xr-x  1 root  wheel      23 Jan 10
> 10:51 cbeee9e2.0 -> GeoTrust_Global_CA2.pem lrwxr-xr-x  1 root
> wheel      40 Jan 10 10:51 ef2f636c.0 ->
> Equifax_Secure_Global_eBusiness_CA-1.pem
> 
> --------------------------------------------------------------------------------
>
> 
This works...
> 
> [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect
> pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem
>  CONNECTED(00000003) depth=2 /C=US/O=Equifax/OU=Equifax Secure
> Certificate Authority verify return:1 depth=1 /C=US/O=Google
> Inc/CN=Google Internet Authority verify return:1 depth=0
> /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com 
> verify return:1 --- Certificate chain 0
> s:/C=US/ST=California/L=Mountain View/O=Google
> Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet
> Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority 
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- 
> Server certificate -----BEGIN CERTIFICATE----- 
> MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD 
> VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu 
> dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda 
> MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N 
> b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au 
> Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x 
> O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 
> W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 
> CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI 
> KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT 
> wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg 
> TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y 
> aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw 
> VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu 
> ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB 
> /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB 
> gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l 
> zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL 
> nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -----END
> CERTIFICATE----- subject=/C=US/ST=California/L=Mountain
> View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google
> Inc/CN=Google Internet Authority --- No client certificate CA names
> sent --- SSL handshake has read 1750 bytes and written 325 bytes 
> --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE SSL-Session: Protocol  : TLSv1 Cipher    : RC4-SHA Session-ID:
> D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576 
> Session-ID-ctx: Master-Key:
> D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F19D794E1DD399BE4350364F
>
> 
Key-Arg   : None
> Start Time: 1357834496 Timeout   : 300 (sec) Verify return code: 0
> (ok) --- +OK Gpop ready for requests from 208.105.14.76
> cz12pf1272748vdb.40 ^C
> 
> --------------------------------------------------------------------------------
>
> 
And this does not work...
> 
> [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect
> pop.gmail.com:995 -CApath /usr/local/openssl/certs 
> CONNECTED(00000003) depth=1 /C=US/O=Google Inc/CN=Google Internet
> Authority verify error:num=20:unable to get local issuer
> certificate verify return:0 --- Certificate chain 0
> s:/C=US/ST=California/L=Mountain View/O=Google
> Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet
> Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority 
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- 
> Server certificate -----BEGIN CERTIFICATE----- 
> MIIDfjCCAuegAwIBAgIKO3SUyAAAAABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD 
> VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu 
> dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda 
> MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N 
> b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au 
> Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x 
> O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 
> W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 
> CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI 
> KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT 
> wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg 
> TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y 
> aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw 
> VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu 
> ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB 
> /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB 
> gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l 
> zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL 
> nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -----END
> CERTIFICATE----- subject=/C=US/ST=California/L=Mountain
> View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google
> Inc/CN=Google Internet Authority --- No client certificate CA names
> sent --- SSL handshake has read 1750 bytes and written 325 bytes 
> --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE SSL-Session: Protocol  : TLSv1 Cipher    : RC4-SHA Session-ID:
> 4797C67363287F3C528509AAB91A0852BF265D6DFAEB144048815047CA3595DB 
> Session-ID-ctx: Master-Key:
> 1A0FAD1AA041894DEDB7329984DBC513D3EE7B4B92901F7700D5C15D767C3E9E5761561BBD47647605D0852D2A24501E
>
> 
Key-Arg   : None
> Start Time: 1357834512 Timeout   : 300 (sec) Verify return code: 20
> (unable to get local issuer certificate) --- +OK Gpop ready for
> requests from 208.105.14.76 j10pf1276456vde.5 ^C [root@MailArch
> /usr/local/openssl/certs]#
> 
> -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound
> Coordinator, Schenectady Light Opera Company
> 
> _______________________________________________ 
> freebsd-questions@freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
> 

Hi Paul,

It looks like you don't have the Gmail certificate installed locally,
unless I'm mistaken.  Check the instructions here, and let us know if
that fixes the problem for you:
http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/

Best regards,
Greg

- -- 
Greg Larkin

http://www.FreeBSD.org/           - The Power To Serve
http://www.sourcehosting.net/     - Ready. Set. Code.
http://twitter.com/cpucycle/      - Follow you, follow me
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDu/HwACgkQ0sRouByUApBpigCgnurO0xbOVJSXXXqujqo71N+O
oSgAoKovwTXE05J6TYwo9dJO2YUkXOw6
=Bf8n
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50EEFC7D.5070706>