Dear all,
When I connect to our printer server, the certificate is never verified correctly. When I specify the CA certificate file manually on the command line, it works though. The root certificate in question is installed, and everything looks correct to me. -> ??? Any help how to fix this would be greatly appreciated... for details see below. Best, Andreas ========================== 1st try ============================ [EMAIL PROTECTED] ~ $ openssl s_client -connect srv609.tudelft.net:443 depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify error:num=20:unable to get local issuer certificate verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/C=NL/postalCode=2628 BL/ST=Zuid Holland/L=Delft/streetAddress=Julianalaan 134/O=TU Delft/OU=ICT/OU=EliteSSL/CN=srv609.tudelft.net i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFNTCCBB2gAwIBAgIRAKEltIx7NxvdYmHspCKI/QowDQYJKoZIhvcNAQEFBQAw gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 LUhhcmR3YXJlMB4XDTA3MTAxNTAwMDAwMFoXDTA4MTExMDIzNTk1OVowgbExCzAJ BgNVBAYTAk5MMRAwDgYDVQQREwcyNjI4IEJMMRUwEwYDVQQIEwxadWlkIEhvbGxh bmQxDjAMBgNVBAcTBURlbGZ0MRgwFgYDVQQJEw9KdWxpYW5hbGFhbiAxMzQxETAP BgNVBAoTCFRVIERlbGZ0MQwwCgYDVQQLEwNJQ1QxETAPBgNVBAsTCEVsaXRlU1NM MRswGQYDVQQDExJzcnY2MDkudHVkZWxmdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAJahIq6Xc9aZAXEcO6V0wKq8r4w+o2Tzs1dRvsvsUFbwHXxKPkWC y87PBz5CEAcNhO8YSpPsn+TOOWGBxO6nY2HDTtM/bWjEm9ra4sQ+BF6DG9t9ddhv jslDC5WCf+G97NA7XWqPGkFNlSa3j7ch39lpY73dSPeDHcSxumlh597pAgMBAAGj ggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNVHQ4E FgQUFNXETrICdXQO4SC3+E5mhIl8Y6IwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7BgNVHR8EdDByMDigNqA0 hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJl LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3Qt SGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYIKwYBBQUHMAKGL2h0dHA6 Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2VydmVyQ0EuY3J0MDkGCCsG AQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVROQWRkVHJ1c3RTZXJ2ZXJD QS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAJMToPQit65ydL+Q3tLgTLUWA0UdkHh1 CW5MVM5H4URb0QDcRrIcEgLENZfu6XlMU4oIyNcgRSP4h/i7HjEoc+Q7INw/Ec83 J3DWxAUPkz2x8YC2xommtO20roYUC+v2vxQPNOM0dzdG8J9Av+UEgn+pMAzPfeQZ ZqxKJlq3OGKNGYOf3QvY5Fnzh31k9khLIL7hNWN21EjjXR1d1fGYQop+GQojeCaR QjT473aL/D2WfOk/z07/Exo388kb9QaRwjoDQMiLYobtzNRCuwaC+WDmcX0B99PT 2dpOTItVfg6jl9K2ujDJO4cc620S5ajaIYsL+goRjpD+ohQq8B++CNE= -----END CERTIFICATE----- subject=/C=NL/postalCode=2628 BL/ST=Zuid Holland/L=Delft/streetAddress=Julianalaan 134/O=TU Delft/OU=ICT/OU=EliteSSL/CN=srv609.tudelft.net issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- No client certificate CA names sent --- SSL handshake has read 2619 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 521F0000C6654A45F30619B440C2810C415CFA91E2E6CF5EF34ADE1BBCE70600 Session-ID-ctx: Master-Key: 7D2685A0C8D09F66BB5CF7140203C86010E320FE61043B19C253BCFA7E95F0E429E1683045AA742D5099833390A3408F Key-Arg : None Start Time: 1203366089 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ========== 2nd try with -CAfile=... ============================ [EMAIL PROTECTED] ~ $ openssl s_client -connect srv609.tudelft.net:443 -CAfile /etc/ssl/certs/AddTrust_External_Root.pem depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify return:1 depth=0 /C=NL/postalCode=2628 BL/ST=Zuid Holland/L=Delft/streetAddress=Julianalaan 134/O=TU Delft/OU=ICT/OU=EliteSSL/CN=srv609.tudelft.net verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/C=NL/postalCode=2628 BL/ST=Zuid Holland/L=Delft/streetAddress=Julianalaan 134/O=TU Delft/OU=ICT/OU=EliteSSL/CN=srv609.tudelft.net i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFNTCCBB2gAwIBAgIRAKEltIx7NxvdYmHspCKI/QowDQYJKoZIhvcNAQEFBQAw gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 LUhhcmR3YXJlMB4XDTA3MTAxNTAwMDAwMFoXDTA4MTExMDIzNTk1OVowgbExCzAJ BgNVBAYTAk5MMRAwDgYDVQQREwcyNjI4IEJMMRUwEwYDVQQIEwxadWlkIEhvbGxh bmQxDjAMBgNVBAcTBURlbGZ0MRgwFgYDVQQJEw9KdWxpYW5hbGFhbiAxMzQxETAP BgNVBAoTCFRVIERlbGZ0MQwwCgYDVQQLEwNJQ1QxETAPBgNVBAsTCEVsaXRlU1NM MRswGQYDVQQDExJzcnY2MDkudHVkZWxmdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAJahIq6Xc9aZAXEcO6V0wKq8r4w+o2Tzs1dRvsvsUFbwHXxKPkWC y87PBz5CEAcNhO8YSpPsn+TOOWGBxO6nY2HDTtM/bWjEm9ra4sQ+BF6DG9t9ddhv jslDC5WCf+G97NA7XWqPGkFNlSa3j7ch39lpY73dSPeDHcSxumlh597pAgMBAAGj ggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNVHQ4E FgQUFNXETrICdXQO4SC3+E5mhIl8Y6IwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7BgNVHR8EdDByMDigNqA0 hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJl LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3Qt SGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYIKwYBBQUHMAKGL2h0dHA6 Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2VydmVyQ0EuY3J0MDkGCCsG AQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVROQWRkVHJ1c3RTZXJ2ZXJD QS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAJMToPQit65ydL+Q3tLgTLUWA0UdkHh1 CW5MVM5H4URb0QDcRrIcEgLENZfu6XlMU4oIyNcgRSP4h/i7HjEoc+Q7INw/Ec83 J3DWxAUPkz2x8YC2xommtO20roYUC+v2vxQPNOM0dzdG8J9Av+UEgn+pMAzPfeQZ ZqxKJlq3OGKNGYOf3QvY5Fnzh31k9khLIL7hNWN21EjjXR1d1fGYQop+GQojeCaR QjT473aL/D2WfOk/z07/Exo388kb9QaRwjoDQMiLYobtzNRCuwaC+WDmcX0B99PT 2dpOTItVfg6jl9K2ujDJO4cc620S5ajaIYsL+goRjpD+ohQq8B++CNE= -----END CERTIFICATE----- subject=/C=NL/postalCode=2628 BL/ST=Zuid Holland/L=Delft/streetAddress=Julianalaan 134/O=TU Delft/OU=ICT/OU=EliteSSL/CN=srv609.tudelft.net issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- No client certificate CA names sent --- SSL handshake has read 2619 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 771500004C4A7AACD55CDC4E3087598FA12E6372AC21275C3AA9331DF32EBDA2 Session-ID-ctx: Master-Key: E3BA1AC0A3A74676861CB41B4EF15A9FCAAD65CFCA40C3FD24C8AD86FC2CA36BACE208D4DA856FC6968AA781E3BE99A7 Key-Arg : None Start Time: 1203370049 Timeout : 300 (sec) Verify return code: 0 (ok) --- ================= CA certificate installation ====================== [EMAIL PROTECTED] /etc/ssl/certs $ openssl x509 -hash -noout -in AddTrust_External_Root.pem 3c58f906 [EMAIL PROTECTED] /etc/ssl/certs $ ls -l 3c58f906.0 lrwxrwxrwx 1 root root 26 3. Feb 20:18 3c58f906.0 -> AddTrust_External_Root.pem [EMAIL PROTECTED] /etc/ssl/certs $ ls -l AddTrust_External_Root.pem lrwxrwxrwx 1 root root 61 3. Feb 20:18 AddTrust_External_Root.pem -> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt [EMAIL PROTECTED] /etc/ssl/certs $ ls -l /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt -rw-r--r-- 1 root root 1523 4. Mär 2007 /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt [EMAIL PROTECTED] /etc/ssl/certs $ [EMAIL PROTECTED] /etc/ssl/certs $ openssl version -a OpenSSL 0.9.8g 19 Oct 2007 built on: Sun Feb 17 01:46:36 CET 2008 platform: linux-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: i686-pc-linux-gnu-gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -O2 -march=pentium-m -pipe -Wa,--noexecstack OPENSSLDIR: "/etc/ssl"
