How about posting the certificate chain printed by -showcerts? If you don't get one, then it's entirely possible that you've got a problem on your server (such as not having the correct private key for the certificate).
-Kyle H On Wed, Oct 8, 2008 at 2:16 PM, Andrej Podzimek <[EMAIL PROTECTED]> wrote: >> Are any intermediate CA certificates involved? > > No. The CA is home-made, created using OpenSSL. It has a self-signed > certificate. > >> This command will dump all certificates received: >> >> openssl s_client -connect hostname:portnum -showcerts > > [EMAIL PROTECTED] ~]$ openssl s_client -connect my.server.address:5432 > -showcerts > CONNECTED(00000003) > 4386:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > >> If you split them into files and try: >> >> openssl x509 -in cert.pem -dates -noout > > Can't try this right now... > > As for the dates, I store all my certificates with the human-readable > preamble (the -text option used with x509). Dates are OK in all of them. I > dumped them again and got the same result. > > This is what I tried next: > > [EMAIL PROTECTED] ~]$ openssl s_client -debug -connect > my.server.address:5432 -showcerts > CONNECTED(00000003) > write to 0x9fcb948 [0x9fcb990] (124 bytes => 124 (0x7C)) > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... > ..9.. > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 > 8..5............ > 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 > ..3..2../....... > 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 > ................ > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 > [EMAIL PROTECTED] > 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 64 70 9c 33 > ............dp.3 > 0060 - 54 71 07 96 37 d8 e5 9c-22 01 5b 19 60 9f d0 1f > Tq..7...".[.`... > 0070 - a3 43 82 8d 51 2d eb bc-c8 84 1c bb .C..Q-...... > read from 0x9fcb948 [0x9fd0ef0] (7 bytes => 0 (0x0)) > 4407:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > A local IP connection directly on the server fails the same way, too. > (Non-SSL IP connections to the database do work, however.) > > What should I try now? If you want me to carry out further experiments, just > let me know. > > Andrej > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
