On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote: > So initial testing shows that this is actually a problem with OpenSSL, > or at least, it is OpenSSL refusing to connect to these servers: > > (natty-amd64)r...@clint-macbookpro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# > openssl s_client -host cas.ucdavis.edu -port 443 > CONNECTED(00000003) > 1787:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > unexpected message:s23_clnt.c:602: > (natty-amd64)r...@clint-macbookpro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# > openssl s_client -host server.db.kvk.nl -port 443 > CONNECTED(00000003) > 1788:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode > error:s23_clnt.c:602:
Note that if you force openssl to use ssl3 via -ssl3, a successful connection is made. However, both warn of a self-signed certificate in the chain, though it appears to be the top level certificate: $ openssl s_client -host server.db.kvk.nl -port 443 -ssl3 CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=NL/ST=Utrecht/L=Woerden/O=Kamer van Koophandel Nederland/OU=Technisch Beheer/CN=SERVER.DB.KVK.NL i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority (server.db.kvk.nl's certificate is signed by Equifax, not Verisign.) But perhaps the self-signed certificate thing is a red-herring, as on hardy (0.9.8g-4ubuntu3.12) and lucid (0.9.8k-7ubuntu8.4), at least, connecting works, but still gives the warning. -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/ -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
