Simon Josefsson <[email protected]> wrote on 11/20/2009 08:57:06 AM:
> Simon Josefsson <[email protected]> > 11/20/2009 08:57 AM > > To > > Tomasz Welman/Poland/i...@ibmpl > > cc > > [email protected] > > Subject > > Re: gnutls is unable to get x509 certificate > > Tomasz Welman <[email protected]> writes: > > > Hi, > > > > The problem is that I am using LDAP, and ldaps://, but it doesn't work. > > With the help op openldap guys, I've tracked down the issue to be gnutls > > problem. > > > > The full description (with (hopefully all of the) debugging info) is here: > > > > http://www.openldap.org/lists/openldap-technical/200911/msg00039.html > > The IBM server is buggy, this has been debugged before, see complete > discussion and workarounds: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477 > Ok, that helped a bit. When I'm doing: gnutls-cli -p 636 bluepages.ibm.com --priority NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP it's working, but if I am giving it the CA certificate obtained this way: openssl s_client -host bluepages.ibm.com -port 636 > bp.cert and then: twel...@darthvader:~$ gnutls-cli --x509cafile bp.cert -p 636 bluepages.ibm.com --priority NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP it fails with message: Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=Colorado,L=Boulder,O=International Business Machines,OU=Terms of use at www.verisign.com/rpa (c)05,OU=Terms of use at www.verisign.com/rpa (c)05,CN=bluepages.ibm.com', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA', RSA key 1024 bits, signed using RSA-SHA, activated `2008-03-19 00:00:00 UTC', expires `2011-05-23 23:59:59 UTC', SHA-1 fingerprint `b4ed74f52d5de2efac31cbac286ef20bccaba87a' - Certificate[1] info: - subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority', RSA key 2048 bits, signed using RSA-SHA, activated `2005-01-19 00:00:00 UTC', expires `2015-01-18 23:59:59 UTC', SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5' - Certificate[2] info: - subject `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority', RSA key 1024 bits, signed using RSA-MD2 (broken!), activated `1996-01-29 00:00:00 UTC', expires `2028-08-01 23:59:59 UTC', SHA-1 fingerprint `742c3192e607e424eb4549542be1bbc53e6174e2' - The hostname in the certificate matches 'bluepages.ibm.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: SSL3.0 - Key Exchange: RSA - Cipher: AES-256-CBC - MAC: SHA1 - Compression: NULL *** Verifying server certificate failed... The bp.cert looks like this: twel...@darthvader:~$ cat bp.cert -----BEGIN CERTIFICATE----- MIIFbzCCBFegAwIBAgIQQqowfydfbhGjnIrdG/yoqTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MDMxOTAwMDAw MFoXDTExMDUyMzIzNTk1OVowgeIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xv cmFkbzEQMA4GA1UEBxQHQm91bGRlcjEoMCYGA1UEChQfSW50ZXJuYXRpb25hbCBC dXNpbmVzcyBNYWNoaW5lczEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52 ZXJpc2lnbi5jb20vcnBhIChjKTA1MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQg d3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxGjAYBgNVBAMUEWJsdWVwYWdlcy5p Ym0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUyh7l1px1jcmNeqf 48bV4DQUKhk1h0uBOn24+HdD5YS0TuYrOVtY7L/oX6jT+2Klaogyq8JdYaREnKJo NVAHyPoAYUrnCHwguZdK0KRo9EjbP55qGoYw0gtd0zD9f/G03237x+Kz6sVAvnmN zWeHZ8OT4EfLKDa1pGW/F7QHTQIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADALBgNV HQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1jcmwu dmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYLYIZI AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU b+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9T VlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5jZXIw bgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMC GgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24u Y29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBXSkgfiiwhOkhj1jZn NYM+ic3E3niRM7xFuz4nz2vX5L7ThVFlYFlWoOynNyfuVXqMxqrf6f8Y2uVMY5Cj PohjrjVocgDsN8epFaplIH/HSXj21q385wAajfYBsxzTQqHytUZ0Apva7rpGAG9l TUYyqA7vxmr/xLTIPzWNk680hwXihFFw8f4vcIvS1riu1AwESUiRQN2BJkTAaRKt n2qjBWirioah4j8kJWvsH/p1P7OAg63rM9hEWi3t9aQBZ2JKKKwmdTI98J2wG/nC PkwhK2dIdkBjr+6ICd0Hp8MME0oTpXq8CuiAbEQRcvQ6aUttnDYOnE8dluRPccgf 5BFI -----END CERTIFICATE----- Can you help? What I want to achieve is get the CA (as I did with openssl s_client) and then be able to connect giving this CA for validation so I'm sure this bluepages.ibm.com is actually the same server that gave me the CA. -- Tomasz 'Trog' Welman Software Developer external: 48-12-628-9449 ITN: 34819449 T/L: 9449 IBM SWG Lab, Krakow, Poland IBM Polska Sp. z o.o. oddział w Krakowie ul. Armii Krajowej 18 30 -150 Kraków NIP: 526-030-07-24, KRS 0000012941 Kapitał zakładowy: 33.000.000 PLN
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
