Am Thu, 08. Dec 16 - 13:42:29 schrieb Claus-Michael Schlesinger: > [...] > > 2) straced mbsync and openssl s_client -connect --> it seems to me > that both programs try to call the same local cert data without > finding anything (the two certificate both programs look for in > /etc/ssl/certs/ don't exist). Connection is established but mbsync > does not continue with the certificate chain whereas openssl does. I > can't quite figure out why due to lack of technical understanding on > my side. > > Here's the full strace output from mbsync: > http://dock.in-berlin.de/paste/mbsync.strace > from openssl s_client -connect: http://dock.in-berlin.de/paste/openssl.strace > and a diff from these two straces: > http://dock.in-berlin.de/paste/diff.mbsync.openssl.strace
Hi there, just a quick heads-up that may retroactively reveal your initial problem: The openssl stacktrace hints at the same cert error as mbsync, there are some verification errors write(2, "verify error:num=20:unable to ge"..., 59) = 59 write(2, "verify error:num=21:unable to ve"..., 59) = 59 write(1, " Verify return code: 21 (unab"..., 68) = 68 Looks to me like openssl didn't like the certificate any more than mbsync did. Just for clarification: openssl s_client connects to the given hostname regardless of certificate problems. It shows the certificate chain and its details, so you have to read its output to uncover any problems with certificate validity. In case openssl s_client and mbsync both give the same validation error, this might be a certificate mismatch on the ssl proxy. Otherwise, please ignore my babbling ;-) HTH, Markus > On Thu, Dec 08, 2016 at 10:24:14AM +0100, Oswald Buddenhagen wrote: > > On Wed, Dec 07, 2016 at 12:11:35PM +0100, Claus-Michael Schlesinger wrote: > > > SSL error connecting mbox.uni-stuttgart.de (129.69.1.9:996): unable to > > > get local issuer certificate > > > > > > Connecting with openssl s_client still works fine. > > > > > this suggests that mbsync is for some reason using different defaults > > than openssl. > > are you sure that both link to the same libssl version? verify with ldd. > > other than that, you can use ltrace/strace to find out where the > > programs are looking for the CA certificate store. > > > > to work around the issue, you can use get-cert to fetch the proxy's > > certificate and put it into the CertificateFile option. this bypasses > > the certificate chain verification on mbsync's side. ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ isync-devel mailing list isync-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/isync-devel
