Jürgen Nagler wrote:
>
> Hi all,
>
> everything I has done before with ssl worked out of a box (telnet with
> ssl, https-pages viewed with Netscape, imaps with Messenger). But now I
> have a client program using the c-client library which is capable of ssl
> by openssl.
>
> Using the mtest program of c-client to connect via imaps to my
> mailserver at university I get
>
> > %unable to get local issuer certificate:
>/C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > ?Can't establish SSL session to imap.rz.uni-ulm.de/imaps,993
>
> After many hours searching and the output of 'openssl c_client -connect
> imap.rz.uni-ulm.de:993'
>
> > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
>Services
> > Division/CN=Thawte Server [EMAIL PROTECTED]
> > ---
>
> I am sure the error is the missing trusted certificate of
> "/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Server
> [EMAIL PROTECTED]".
>
> But how/where can I obtain it and how has it to be integrated. I
> searched over 3 hours and haven't found any information about. And if
> this is not possible, how can I start SSL secured connections to my
> university server without it.
>
There are a few standard root certificates (which is what you need here)
in the 'certs' directory of the OpenSSL distribution. It looks like the
one you want is thawteCb.pem . How you add this to your applications
trusted store varies, typically you'll either place it in a directory or
add/create a file. There's info in the man pages showing how to do this
for s_client.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
