On 01/26/2009 08:40 PM, Marco De Vitis wrote:
Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto:
Do any other clients (s_client, web browser, etc) exhibit the same
behavior or an error message? If yes, what's the error response?
Well, I currently do not know how to apply that certificate to an HTTP
server to test it with browsers. Both Firefox and IE refuse to connect
on POPS port 995, of course.
Well, you should be able to setup Apache2 to use your certificate quite
easily and the Apache Docs are quite easy to follow. All you'd have to
do is move the key and certificate over to an area that Apache has
access to, modify the SSL appropriate settings and things should be
alright and you'll see if browsers choke too or its M$ products. I would
also try Thunderbird and other email clients on the email server side of
things.
For s_client see below.
When you use s_client to connect to your mail server does it pass
verification through both ways, IP and DNS?
I never used s_client before, I tried it now, but it doesn't seem to
care at all about the CN difference: as long as I can see, and as long
as I pass it the CA cert with the -CAfile option, it doesn't return
any verification error, not even when I connect to the server with a
totally different name from the ones stored in CN or subjectAltName!
It just outputs "verify return:1" for both the server and CA
certificates which build up the chain.
So, s_client seems a bit too relaxed to me, or am I missing anything?
That's because you're only verifying the chain of trust, you are not
verifying host name. This is in the latest development version of
OpenSSL. Sorry, you did mention you were on 0.9.8c. Very sorry about this.
Can you do an s_client and dump the cert to OpenSSL's x509 and read
the cert? Do the SubjectAltNames appear in the "X509v3 Subject
Alternative Name" section when doing so?
How can I dump the certificate using s_client? I can't see anything
about this in its man page.
openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl x509
-text -noout.
Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you can
read the text output of the certificate instead of it's hashed value
What is the *exact* error you get with the Microsoft Products when
you use this format? Hostname Mismatch? Untrusted Cert?
I'd say Hostname Mismatch. Both OE and Outlook just show a dialog
containing no deep tech info, but they simply complain about the name
of the server not being the same contained in the provided certificate.
Usually Outlook will display a box with a series of checks and red X's.
I am pretty sure it has three areas and in most cases it is the last one
that it fails on. I wish I had a screenshot for you. I just saw one the
other day too.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
