Below is the end of an exchange between myself and the OpenSSL mailing list.
My guess appears to have been correct: QPopper is not sending the
intermediate certificate to get from Comodo to GTE, and does not appear to
have such an option.
Can this be patched?
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : [EMAIL PROTECTED]
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
----- Original Message -----
From: "Ken Ballou" <[EMAIL PROTECTED]>
To: "Alan W. Rateliff, II" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2003 12:48 AM
Subject: Re: Chained certificates
> ----- Original Message -----
> From: "Alan W. Rateliff, II" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, October 05, 2003 10:08 PM
> Subject: Re: Chained certificates
>
>
> > ----- Original Message -----
> > From: "Ken Ballou" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 30, 2003 8:42 PM
> > Subject: Re: Chained certificates
> >
> >
> > > Ah, I see the question. I'd bet that sendmail and Apache are
> sending the
> > > intermediate CA certificate (and maybe the root CA certificate, or
> perhaps
> > > not). From the web site I mentioned in my first reply, I see
> there's
> > > actually a "Comodo Class 3 Security Services CA" certificate, It
> appears
> > > that would be the certificate for the CA that issued your
> certificate.
> > > Then, the GTE CyberTrust Root is the CA that issued the Comodo
> Class 3
> > > certificate.
> > >
> > > It might be worth running ssldump or a network sniffer (such as
> Ethereal)
> > > to capture the certificate chain that's presented in both cases.
> If the
> > > same client trusts your certificate when it is offered by Apache
> or by
> > > sendmail, but not when it is offered by QPopper (and if it is the
> same
> > > client), then I'd suspect that the intermediate certificate is the
> one
> > > giving you problems.
> > >
> > > Does "openssl s_client -showcerts -connect host:port" shed any
> light?
> > That
> > > might be an even better test than turning immediately to ssldump.
> >
> > I suspect the same, but not knowing the inner workings of SSL/TLS
> and thus
> > OpenSSL, I didn't want to jump to any conclusions.
> >
> > Here is the output of the command against my POP3 server on the
> secured
> > channel. I did not post to the list because of the length of
> output.
>
> I've deleted the actual certificate to trim the message. The subject
> and issuer lines are enough to figure out what's going on.
>
> > /usr/local/ssl/bin/openssl s_client -showcerts -connect
> > secure.rateliff.net:995
> > CONNECTED(00000003)
> > depth=0 /C=US/2.5.4.17=32315-7052/ST=Florida/L=Tallahassee/2.5.4.9=P
> O Box
> > 37052/O=Alan W Rateliff
> > II/OU=RATELIFF.NET/OU=InstantSSL/CN=secure.rateliff.net
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0
> /C=US/2.5.4.17=32315-7052/ST=Florida/L=Tallahassee/2.5.4.9=PO Box
> > 37052/O=Alan W Rateliff
> > II/OU=RATELIFF.NET/OU=InstantSSL/CN=secure.rateliff.net
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0
> /C=US/2.5.4.17=32315-7052/ST=Florida/L=Tallahassee/2.5.4.9=PO Box
> > 37052/O=Alan W Rateliff
> > II/OU=RATELIFF.NET/OU=InstantSSL/CN=secure.rateliff.net
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/C=US/2.5.4.17=32315-7052/ST=Florida/L=Tallahassee/2.5.4.9=PO
> Box
> > 37052/O=Alan W Rateliff
> > II/OU=RATELIFF.NET/OU=InstantSSL/CN=secure.rateliff.net
> > i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and
> Conditions
> > of use: http://www.comodo.net/repository/OU=(c)2002 Comodo
> Limited/CN=Comodo
> > Class 3 Security Services CA
> [certificate removed]
> > ---
> > Server certificate
> >
> subject=/C=US/2.5.4.17=32315-7052/ST=Florida/L=Tallahassee/2.5.4.9=PO
> Box
> > 37052/O=Alan W Rateliff
> > II/OU=RATELIFF.NET/OU=InstantSSL/CN=secure.rateliff.net
> > issuer=/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and
> > Conditions of use: http://www.comodo.net/repository/OU=(c)2002
> Comodo
> > Limited/CN=Comodo Class 3 Security Services CA
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1508 bytes and written 346 bytes
> > ---
>
> Yup, that's it. Your POP3 server sent the certificate issued by
> "Comodo Limited" to you ("O=Alan W Rateliff"), but there's no
> certificate getting you from the trusted root "GTE CyberTrust Root" to
> "Comodo Limited".
>
