Simon Josefsson <address@hidden> wrote on
11/20/2009 08:57:06 AM:
> Simon Josefsson <address@hidden> > 11/20/2009 08:57 AM >
> To >
> Tomasz Welman/Poland/address@hidden >
> cc >
> address@hidden >
> Subject >
> Re: gnutls is unable to get x509 certificate >
> Tomasz Welman <address@hidden> writes:
>
> > Hi,
> >
> > The problem is that I am using LDAP, and ldaps://, but it doesn't
work.
> > With the help op openldap guys, I've tracked down the issue to
be gnutls
> > problem.
> >
> > The full description (with (hopefully all of the) debugging info)
is here:
> >
> > http://www.openldap.org/lists/openldap-technical/200911/msg00039.html
>
> The IBM server is buggy, this has been debugged before, see complete
> discussion and workarounds:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477
>
Ok, that helped a bit.
When I'm doing: gnutls-cli -p 636 bluepages.ibm.com
--priority NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP
it's working, but if I am giving it
the CA certificate obtained this way:
openssl s_client -host bluepages.ibm.com
-port 636 > bp.cert
and then:
address@hidden:~$ gnutls-cli --x509cafile
bp.cert -p 636 bluepages.ibm.com --priority NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP
it fails with message:
Processed 1 CA certificate(s).
Resolving 'bluepages.ibm.com'...
Connecting to '9.17.186.253:636'...
- Certificate type: X.509
- Got a certificate list of 3
certificates.
- Certificate[0] info:
- subject `C=US,ST=Colorado,L=Boulder,O=International
Business Machines,OU=Terms of use at www.verisign.com/rpa
(c)05,OU=Terms of use at www.verisign.com/rpa
(c)05,CN=bluepages.ibm.com', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign
Trust Network,OU=Terms of use at https://www.verisign.com/rpa
(c)05,CN=VeriSign Class 3 Secure Server CA', RSA key 1024 bits, signed
using RSA-SHA, activated `2008-03-19 00:00:00 UTC', expires `2011-05-23
23:59:59 UTC', SHA-1 fingerprint `b4ed74f52d5de2efac31cbac286ef20bccaba87a'
- Certificate[1] info:
- subject `C=US,O=VeriSign\,
Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa
(c)05,CN=VeriSign Class 3 Secure Server CA', issuer `C=US,O=VeriSign\,
Inc.,OU=Class 3 Public Primary Certification Authority', RSA key 2048 bits,
signed using RSA-SHA, activated `2005-01-19 00:00:00 UTC', expires `2015-01-18
23:59:59 UTC', SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5'
- Certificate[2] info:
- subject `C=US,O=VeriSign\,
Inc.,OU=Class 3 Public Primary Certification Authority', issuer `C=US,O=VeriSign\,
Inc.,OU=Class 3 Public Primary Certification Authority', RSA key 1024 bits,
signed using RSA-MD2 (broken!), activated `1996-01-29 00:00:00 UTC', expires
`2028-08-01 23:59:59 UTC', SHA-1 fingerprint `742c3192e607e424eb4549542be1bbc53e6174e2'
- The hostname in the certificate matches
'bluepages.ibm.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...
What I want to achieve is get the CA
(as I did with openssl s_client) and then
be able to connect giving this CA for
validation so I'm sure this bluepages.ibm.com
is actually the same server that gave
me the CA.
IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN