RE: how to get the trusted certificate of the website mail.yahoo.com?
thanks a lot, Gait. You are right!! --Hu Yongjun From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gait BoxmanSent: Monday, November 06, 2006 3:04 PMTo: openssl-users@openssl.orgSubject: Re: how to get the trusted certificate of the website mail.yahoo.com? Hi, did you try connecting to Yahoo with the ibm.com.pem as your CAFile? Looks like they're not sending the Equifax cert along, whereas IBM is. If I'm not mistaken, the ibm.com.pem is actually the Equifax cert, IBM's cert would be the one starting with MIIC..--Gait.Hu, Yong Jun SNLB PEK wrote: hello, dear all: 1) I use the command openssl to get the trusted certificate, but there are some errors showing in the output: bash-2.03# /usr/local/ssl/bin/openssl s_client -showcerts -connect login.yahoo.com:443 CONNECTED(0004)depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=27:certificate not trustedverify return:1depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority-BEGIN CERTIFICATE-MIIC7TCCAlagAwIBAgIDBaBMMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMTA0MTcwOTA2WhcNMTEwMTA0MTcwOTA2WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhvbzEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bE/u7xsEXb5wSthVHYp3DcFFAPU7GhDd1/e7emVUf2DSFru9EqV4eNazUE66F0gneiJvKnwdojYi2FmirjoL1NIbig5aiankmv/bPwTim3XBjcWMBaHztZJeoURJGeSQtOnv5F2yIG35I3a4stSvowb1ngOPuIIFIRElRDqABQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUoB5uDJtuauvSrlpKGP8Ok0Ya1jIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAFAlZRBD4XSDL4+cntx0ZE5xJ04qbkoSe0xBLmFKEQtBprFSyxN2tkXkjdQAmjsCx4IpAaPuffe5AoidPsMc5j3TkPycVtsZnauoA4B9xOLECTOeWFt3N4lZo4aOod+zuwLtIWL7usK66NSPZsGlX635P88imxdXoMooxnYDpMTn-END CERTIFICATEServer certificatesubject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comissuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority---No client certificate CA names sent---SSL handshake has read 907 bytes and written 320 bytes---New, TLSv1/SSLv3, Cipher is DES-CBC3-SHAServer public key is 1024 bitSSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 4C92645DCF76DD39B93FA93134342228789864947A3A14CFB5AB965BA48BE95D Session-ID-ctx: Master-Key: 439AA1963FAD38CE860411AC778ED4AFB5F2437BF033ECDA451A07E44FC53FAFDA86EEAA40DD1FF88DB5FDBF1338F669 Key-Arg : None Start Time: 1161844868 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)---read:errno=0 Question:what should i do to get the correct trustedcertificate from yahoo? why are there three error info"unable to get local issuer certificate", "certificate not trusted", "unable to verify the first certificate"?Do i need to config openssl with another config? 2)I tried using "ibm.com" instead and wewas able to retrieve the certificate and make a connection without errors. This command displays the certificates. bash# openssl s_client -showcerts -connect ibm.com:443CONNECTED(0004)depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authorityverify error:num=19:self signed certificate in certificate chainverify return:0---Certificate chain0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority-BEGIN
how to get the trusted certificate of the website mail.yahoo.com?
hello, dear all: 1) I use the command openssl to get the trusted certificate, but there are some errors showing in the output: bash-2.03# /usr/local/ssl/bin/openssl s_client -showcerts -connect login.yahoo.com:443 CONNECTED(0004)depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=27:certificate not trustedverify return:1depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority-BEGIN CERTIFICATE-MIIC7TCCAlagAwIBAgIDBaBMMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMTA0MTcwOTA2WhcNMTEwMTA0MTcwOTA2WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhvbzEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bE/u7xsEXb5wSthVHYp3DcFFAPU7GhDd1/e7emVUf2DSFru9EqV4eNazUE66F0gneiJvKnwdojYi2FmirjoL1NIbig5aiankmv/bPwTim3XBjcWMBaHztZJeoURJGeSQtOnv5F2yIG35I3a4stSvowb1ngOPuIIFIRElRDqABQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUoB5uDJtuauvSrlpKGP8Ok0Ya1jIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAFAlZRBD4XSDL4+cntx0ZE5xJ04qbkoSe0xBLmFKEQtBprFSyxN2tkXkjdQAmjsCx4IpAaPuffe5AoidPsMc5j3TkPycVtsZnauoA4B9xOLECTOeWFt3N4lZo4aOod+zuwLtIWL7usK66NSPZsGlX635P88imxdXoMooxnYDpMTn-END CERTIFICATEServer certificatesubject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.comissuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority---No client certificate CA names sent---SSL handshake has read 907 bytes and written 320 bytes---New, TLSv1/SSLv3, Cipher is DES-CBC3-SHAServer public key is 1024 bitSSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 4C92645DCF76DD39B93FA93134342228789864947A3A14CFB5AB965BA48BE95D Session-ID-ctx: Master-Key: 439AA1963FAD38CE860411AC778ED4AFB5F2437BF033ECDA451A07E44FC53FAFDA86EEAA40DD1FF88DB5FDBF1338F669 Key-Arg : None Start Time: 1161844868 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)---read:errno=0 Question:what should i do to get the correct trustedcertificate from yahoo? why are there three error info"unable to get local issuer certificate", "certificate not trusted", "unable to verify the first certificate"?Do i need to config openssl with another config? 2)I tried using "ibm.com" instead and wewas able to retrieve the certificate and make a connection without errors. This command displays the certificates. bash# openssl s_client -showcerts -connect ibm.com:443CONNECTED(0004)depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authorityverify error:num=19:self signed certificate in certificate chainverify return:0---Certificate chain0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority-BEGIN CERTIFICATE-MIIC7TCCAlagAwIBAgIDBawBMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMjAyMTgyMzEwWhcNMDcwNTA1MTcyMzEwWjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxHzAdBgNVBAcTFlJlc2VhcmNoIFRyaWFuZ2xlIFBhcmsxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFSFBPRFMxHTAbBgNVBAMTFHJlZGlyZWN0Lnd3dy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrhMJNDpABGrYPFf+Ib3UB6ibWLtEXh06+jmqmxAKOiUkQDfSIZam+POxK+L4diycQchs6E37MfEhnnqqOQSguX2kfaN5iuWQyINgj+TRs7kc7FBzmRhKC/mUXkdv2SvP/8z8gwbVWe1kGRBlqZTrHPDSshY8Chb6B/61mvbabPQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUFrbeNkcAqnsXX4eeHqVhmPNA3aYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAHpAm1OotPlh4Q08gLgGaNxcOn+WGjbtJHAlwurfkd7ncXOipBePIyjDtO2AG+g4SFkaiw0Dkc9FLxXjFNTehrXTEDmkpfpsrAndR4WefiLFRo3B7HA92H+Wzi9a2jn0Kl2Zla7QpFM4YPiGZPnTzr5jEOrG9CyxsFl240Y2O5pu-END CERTIFICATE-1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority-BEGIN
Re: how to get the trusted certificate of the website mail.yahoo.com?
Hi, did you try connecting to Yahoo with the ibm.com.pem as your CAFile? Looks like they're not sending the Equifax cert along, whereas IBM is. If I'm not mistaken, the ibm.com.pem is actually the Equifax cert, IBM's cert would be the one starting with MIIC.. --Gait. Hu, Yong Jun SNLB PEK wrote: hello, dear all: 1) I use the command openssl to get the trusted certificate, but there are some errors showing in the output: bash-2.03# /usr/local/ssl/bin/openssl s_client -showcerts -connect login.yahoo.com:443 CONNECTED(0004) depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -BEGIN CERTIFICATE- MIIC7TCCAlagAwIBAgIDBaBMMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMTA0MTcwOTA2WhcNMTEwMTA0MTcwOTA2 WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML U2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhv bzEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC1bE/u7xsEXb5wSthVHYp3DcFFAPU7GhDd1/e7emVUf2DSFru9EqV4 eNazUE66F0gneiJvKnwdojYi2FmirjoL1NIbig5aiankmv/bPwTim3XBjcWMBaHz tZJeoURJGeSQtOnv5F2yIG35I3a4stSvowb1ngOPuIIFIRElRDqABQIDAQABo4Gu MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUoB5uDJtuauvSrlpKGP8Ok0Ya 1jIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB AFAlZRBD4XSDL4+cntx0ZE5xJ04qbkoSe0xBLmFKEQtBprFSyxN2tkXkjdQAmjsC x4IpAaPuffe5AoidPsMc5j3TkPycVtsZnauoA4B9xOLECTOeWFt3N4lZo4aOod+z uwLtIWL7usK66NSPZsGlX635P88imxdXoMooxnYDpMTn -END CERTIFICATE- --- Server certificate subject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 907 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 4C92645DCF76DD39B93FA93134342228789864947A3A14CFB5AB965BA48BE95D Session-ID-ctx: Master-Key: 439AA1963FAD38CE860411AC778ED4AFB5F2437BF033ECDA451A07E44FC53FAFDA86EEAA40DD1FF88DB5FDBF1338F669 Key-Arg : None Start Time: 1161844868 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 Question:what should i do to get the correct trustedcertificate from yahoo? why are there three error info"unable to get local issuer certificate ", "certificate not trusted", "unable to verify the first certificate"?Do i need to config openssl with another config? 2) I tried using "ibm.com" instead and wewas able to retrieve the certificate and make a connection without errors. This command displays the certificates. bash# openssl s_client -showcerts -connect ibm.com:443 CONNECTED(0004) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -BEGIN CERTIFICATE- MIIC7TCCAlagAwIBAgIDBawBMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMjAyMTgyMzEwWhcNMDcwNTA1MTcyMzEw WjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxHzAdBgNVBAcTFlJlc2VhcmNo IFRyaWFuZ2xlIFBhcmsxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFSFBPRFMxHTAb BgNVBAMTFHJlZGlyZWN0Lnd3dy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCrhMJNDpABGrYPFf+Ib3UB6ibWLtEXh06+jmqmxAKOiUkQDfSIZam+ POxK+L4diycQchs6E37MfEhnnqqOQSguX2kfaN5iuWQyINgj+TRs7kc7FBzmRhKC /mUXkdv2SvP/8z8gwbVWe1kGRBlqZTrHPDSshY8Chb6B/61mvbabPQIDAQABo4Gu MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUFrbeNkcAqnsXX4eeHqVhmPNA 3aYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB AHpAm1OotPlh4Q08gLgGaNxcOn+WGjbtJHAlwurfkd7ncXOipBePIyjDtO2AG+g4 SFkaiw0Dkc9FLxXjFNTehrXTEDmkpfpsrAndR4WefiLFRo3B7HA92H+Wzi9a2jn0 Kl2Zla7QpFM4YPiGZPnTzr5jEOrG9CyxsFl240Y2O5pu -END CERTIFICATE- 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
