On Wed, Oct 08, 2008, Andrej Podzimek wrote: >> Are any intermediate CA certificates involved? > > No. The CA is home-made, created using OpenSSL. It has a self-signed > certificate. > >> This command will dump all certificates received: >> openssl s_client -connect hostname:portnum -showcerts > > [EMAIL PROTECTED] ~]$ openssl s_client -connect my.server.address:5432 > -showcerts > CONNECTED(00000003) > 4386:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: >
Hmmm.... Is that the right port for SSL/TLS if it is it looks like it isn't just a a case of connecting to the right port to get an SSL/TLS connection. Might be some STARTTLS equivalent but I'm not sure what it is for that application. > > As for the dates, I store all my certificates with the human-readable > preamble (the -text option used with x509). Dates are OK in all of them. I > dumped them again and got the same result. > It looks like an expired certificate is somehow being used. How isn't clear at this stage. If you have CA certificates in directories or files make sure an old one isn't in there. The best I can suggest at this point is modifying OpenSSL or the application to dump out any expired certificates to a temp file so you can see which one(s) it is complaining about. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
