Re: TLS or SSL problems.

Wed, 31 Mar 2004 07:01:25 -0800 

On 31/3/04 3:42 pm, Danny Carroll <[EMAIL PROTECTED]> wrote:

> use IO::Socket::SSL;
> my $ssl = new IO::Socket::SSL("localhost:636");
> print "SSL Cipher: " . $ssl->get_cipher() . "\n";
> 
> outputs:
> SSL Cipher: DES-CBC3-SHA
> 
> So it should fit....

OK.

>> Another thing to try is the openssl command-line client against the LDAPS
>> port.
>> 
>>     openssl s_client -connect hostname:636 -debug
>> 
> 
> This produces:
> 
> openssl s_client -connect localhost:636 -debug
> CONNECTED(00000003)
> write to 0814C020 [0814C068] (124 bytes => 124 (0x7C))
> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00   .z....Q... .....
> <SNIP!!!>
> 0070 - 4f c8 a2 f7 a7 74 77 8d-01 a4 8d 5e               O....tw....^
> read from 0814C020 [081515C8] (7 bytes => 7 (0x7))
> 0000 - 16 03 01 00 4a 02                                 ....J.
> 0007 - <SPACES/NULS>
> read from 0814C020 [081515CF] (72 bytes => 72 (0x48))
> 0000 - 00 46 03 01 40 6a c9 5e-69 68 4f 99 cb 1b 06 6d   [EMAIL PROTECTED]
> <SNIP!!!>
> 0040 - 42 ed 3d aa 95 00 0a                              B.=....
> 0048 - <SPACES/NULS>
> read from 0814C020 [081515C8] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 03 36                                    ....6
> read from 0814C020 [081515CD] (822 bytes => 822 (0x336))
> 0000 - 0b 00 03 32 00 03 2f 00-03 2c 30 82 03 28 30 82   ...2../..,0..(0.
> <SNIP!!!>
> 0320 - d5 0c 5e 78 1b e4 77 2c-b9 d5 1b 00 ad f2 bc c0   ..^x..w,........
> 0330 - 10 d9 8f 23 ec 3d                                 ...#.=
> depth=0 /C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
> verify error:num=21:unable to verify the first certificate
> verify return:1

This is not what I see when I connect to a server offering a self-signed
cert to me; what I see is:

depth=0 /C=IQ/CN=localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IQ/CN=localhost
verify return:1

The verify codes are in the verify(1) man page.

Perhaps the fqdn in the cert is the difference; can you run the client on a
machine and connect to the hostname mentioned in the cert?

[...]
>   Verify return code: 21 (unable to verify the first certificate)

I get:

    Verify return code: 18 (self signed certificate)

> It is a self signed cert....  But I have tried with verify->'none'  and it
> still does not work...

But for some reason openssl doesn't think it is self-signed, because the
verify code's different.

Cheers,

Chris

Reply via email to