Your message dated Tue, 12 Mar 2024 19:50:54 +0100 with message-id <[email protected]> and subject line Re: [Pkg-openssl-devel] Bug#1065424: Bug#1065424: Can't connect to Active Directory with openssl has caused the Debian Bug report #1065424, regarding Can't connect to Active Directory with openssl to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1065424: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065424 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssl Version: 3.0.11-1~deb12u2 When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636` root@nsd-sdproxy1:~# cat /etc/debian_version 12.5 root@nsd-sdproxy1:~# root@nsd-sdproxy1:~# uname -a Linux nsd-sdproxy1 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux root@nsd-sdproxy1:~# I have the latest patches installed. Telnet works root@nsd-sdproxy1:~# telnet 192.168.92.95 636 Trying 192.168.92.95... Connected to nsd-ad. Escape character is '^]'. from latest rocky linux it is ok [bogucki@nsd-ansible ~]$ /usr/bin/openssl s_client -connect 192.168.92.95:636 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = dc1.dev.it verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = dc1.dev.it verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = dc1.dev.it verify return:1 --- Certificate chain 0 s:CN = dc1.dev.it i:DC = it, DC = dev, CN = dev-DC1-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFtDCCBJygAwIBAgITHQAAAAIpIoHQZ/LB4AAAAAAAAjANBgkqhkiG9w0BAQUF ADA+MRIwEAYKCZImiZPyLGQBGRYCaXQxEzARBgoJkiaJk/IsZAEZFgNkZXYxEzAR BgNVBAMTCmRldi1EQzEtQ0EwHhcNMjMxMjIwMjIzNDUyWhcNMjQxMjE5MjIzNDUy WjAVMRMwEQYDVQQDEwpkYzEuZGV2Lml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAuNy00MrsJl16YwJ7aBq3qKQkGKiWwIpJPIhnSxs+oSWHyXnPzElh 3YybHYSFmVhCioqgv9AacMEQUfgzanURMdDRetOMfnYD0TyfMM9FHcV+U3QR7XRc gd9V+7V04Pp/tJzfatOljiZ32OIf+RpuOOzaAs7K2sPu7C9asoJvT292SWl6A+D/ I6y2ugaKpLfqQaJ3DD11u+Zyfsg+ynAvWrxOhWG1+ImHQShDuhzDZFaVnypw0HvA Exm57lIsLGSYpecPCxN1x4dKQ0FgKfruH6S/IuAdY49WOjB8qDEg5dQFr85zYbZd MyKqUN5e82v2Dy9cM/WBWC+M8DVsf75dQwIDAQABo4IC0jCCAs4wLwYJKwYBBAGC NxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQW MBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcN AQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUr DgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUfBtL8l6VeeYQ7A98ffO89tTy72Iw HwYDVR0jBBgwFoAU1YtlfOHW2JxHTtoslbmjPW0fmlUwgb8GA1UdHwSBtzCBtDCB saCBrqCBq4aBqGxkYXA6Ly8vQ049ZGV2LURDMS1DQSxDTj1kYzEsQ049Q0RQLENO PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy YXRpb24sREM9ZGV2LERDPWl0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBtwYIKwYBBQUHAQEE gaowgacwgaQGCCsGAQUFBzAChoGXbGRhcDovLy9DTj1kZXYtREMxLUNBLENOPUFJ QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m aWd1cmF0aW9uLERDPWRldixEQz1pdD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0 Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA2BgNVHREELzAtoB8GCSsGAQQB gjcZAaASBBDswipFcEo8QJ4wa+MD1ObxggpkYzEuZGV2Lml0MA0GCSqGSIb3DQEB BQUAA4IBAQAsfoVcCK8W+IF2S70g96BNolfDj2fUJXDYU+T1cDMEo0nMT/Bmczj1 zI/leMKbHwJJIgZF6XDtZadv+AJtkjA9TBlvgJsLDVoD+Zr3u9tZ2uWbkPkvBEP2 4WD6ioij6w/WJZ4/ZLk654mPN4e59cd2QdaPlFJzXMmF04qBkAio7/OV/eStJA+m NRj1c/7FvKMssMp8P++AG6bENRFEz8Syu4Bjhma69PR0c+1ElLwc/uZgaROSTvf5 6ZYoKvniP0B+r+tnHjuF1H72eDJV9TjL4/I00M+Qt1nsoms06A/GwrUfk6+gGsge WN7jgiktT3hZ/xexMOFSWaWUK5/vc6Cp -----END CERTIFICATE----- subject=CN = dc1.dev.it issuer=DC = it, DC = dev, CN = dev-DC1-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1 Peer signing digest: SHA1 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2020 bytes and written 467 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-SHA256 Session-ID: 281C000089A8FE3766C77054BA467FB88A4AFE62F9B52D478E6840B5B29F2787 Session-ID-ctx: Master-Key: 2A4EBD468A173EA25C9217F586BE7D91206D0D367D75F44118205118DEE042B5B804292F3FEFD020A19EC6034F86B19C PSK identity: None PSK identity hint: None SRP username: None Start Time: 1709547310 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes --- -- Pozdrawiam serdecznie Maciej Bogucki
--- End Message ---
--- Begin Message ---On 2024-03-12 12:14:34 [+0100], Maciej Bogucki wrote: > Sebastian, > > Thank You for You help. I added "-cipher DEFAULT:@SECLEVEL=0" and this > resolved the case. 🙂 Closing then. > Pozdrawiam serdecznie > Maciej Bogucki Sebastian
--- End Message ---
