On 20 Dec 2004, at 7:32, Peter Stuge wrote:
Please send the output of the openssl commands that I mentioned: openssl x509 -noout -text -in mail.crt openssl x509 -noout -text -in nesys.ca
these look fine. I've sent these output in pvt.
Also, please show the output of the following command: openssl s_client -connect mail.server:993 -CAfile nesys.ca -showcerts
While at it, try it with a client cert as well:
openssl s_client -connect mail.server:993 -CAfile nesys.ca -cert \ client.crt -key client.key -showcerts
I receive the same error:
observe# openssl s_client -connect 127.0.0.1:993 -CAfile /var/qmail/certs/nesys.ca -showcerts
CONNECTED(00000003)
20707:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ s23_clnt.c:475:
On 20 Dec 2004, at 8:18, Andreas Aardal Hanssen wrote:
First of all, you could try the pem file with another SSL server and see
how that works.
hmm ... I don't know how. with my apache server? How could I use the pem file, because apache has crt file and key file, and not a pem file with both inside.
You could also attach to tcpserver with strace, ktrace or similar and see
what is dumped when you connect.
Good idea, but my error is clear enough?
Have you tried connecting with "openssl s_client -connect host:port -crlf?
The same error:
observe# openssl s_client -connect 127.0.0.1:993 -crlf
CONNECTED(00000003)
20742:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ s23_clnt.c:475:
Have you tried using the standard test certificate generated by "make testcert" ?
it seems not a cert problem ... but if my error is not clear enough for you, I'll make a new cert and I'll use ktrace.
I use openssl 0.9.7d_1 instead of 0.9.7e_1, I haven't upgraded because I hear about problems with latest port version.
thank you very much regards Andrea
