On Wed, Oct 19, 2011 at 06:15:31PM +0200, eu...@mail2.infochem.de wrote:
> > Not entirely, you configured only the leaf server cert, and did
> > not also configure the intermediate CA cert (which should be appended
> > to your cert.pem file).
>
> Thanks for catching it -- I obviously don't really know what I'm doing.
> I've appended the cert, and now am getting
>
> $ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
Works fine on a system with a large pile of certs in /usr/lib/ssl/certs.
It looks like you're done now.
$ openssl s_client -CApath /usr/lib/ssl/certs -starttls smtp -showcerts
-connect mail2.infochem.de:25
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-----END CERTIFICATE-----
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-----BEGIN CERTIFICATE-----
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3082 bytes and written 366 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DB0377BA5DA344D58F6FD40B3AD5C2C4F4759619ED2D339718E26E48AB436280
Session-ID-ctx:
Master-Key:
B0B4ABAB6112B4169F41FC8CD9508A6B4C314D54D9CC09FBF96CC28E168FD9F5B65C5600E2757FD0B1D981031F4A5D07
Key-Arg : None
Start Time: 1319047450
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
--
Viktor.
