gnutls is unable to get x509 certificate
Tomasz Welman
tomasz.welman at pl.ibm.com
Thu Nov 26 10:39:53 CET 2009
Simon Josefsson <simon at josefsson.org> wrote on 11/20/2009 08:57:06 AM:
> Simon Josefsson <simon at josefsson.org>
> 11/20/2009 08:57 AM
>
> To
>
> Tomasz Welman/Poland/IBM at IBMPL
>
> cc
>
> help-gnutls at gnu.org
>
> Subject
>
> Re: gnutls is unable to get x509 certificate
>
> Tomasz Welman <tomasz.welman at pl.ibm.com> writes:
>
> > Hi,
> >
> > The problem is that I am using LDAP, and ldaps://, but it doesn't
work.
> > With the help op openldap guys, I've tracked down the issue to be
gnutls
> > problem.
> >
> > The full description (with (hopefully all of the) debugging info) is
here:
> >
> > http://www.openldap.org/lists/openldap-technical/200911/msg00039.html
>
> The IBM server is buggy, this has been debugged before, see complete
> discussion and workarounds:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477
>
Ok, that helped a bit.
When I'm doing:
gnutls-cli -p 636 bluepages.ibm.com --priority
NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP
it's working, but if I am giving it the CA certificate obtained this way:
openssl s_client -host bluepages.ibm.com -port 636 > bp.cert
and then:
twelman at darthvader:~$ gnutls-cli --x509cafile bp.cert -p 636
bluepages.ibm.com --priority
NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP
it fails with message:
Processed 1 CA certificate(s).
Resolving 'bluepages.ibm.com'...
Connecting to '9.17.186.253:636'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=US,ST=Colorado,L=Boulder,O=International Business
Machines,OU=Terms of use at www.verisign.com/rpa (c)05,OU=Terms of use at
www.verisign.com/rpa (c)05,CN=bluepages.ibm.com', issuer
`C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at
https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA',
RSA key 1024 bits, signed using RSA-SHA, activated `2008-03-19 00:00:00
UTC', expires `2011-05-23 23:59:59 UTC', SHA-1 fingerprint
`b4ed74f52d5de2efac31cbac286ef20bccaba87a'
- Certificate[1] info:
- subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of
use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure
Server CA', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority', RSA key 2048 bits, signed using RSA-SHA,
activated `2005-01-19 00:00:00 UTC', expires `2015-01-18 23:59:59 UTC',
SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5'
- Certificate[2] info:
- subject `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public
Primary Certification Authority', RSA key 1024 bits, signed using RSA-MD2
(broken!), activated `1996-01-29 00:00:00 UTC', expires `2028-08-01
23:59:59 UTC', SHA-1 fingerprint
`742c3192e607e424eb4549542be1bbc53e6174e2'
- The hostname in the certificate matches 'bluepages.ibm.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...
The bp.cert looks like this:
twelman at darthvader:~$ cat bp.cert
-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgIQQqowfydfbhGjnIrdG/yoqTANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MDMxOTAwMDAw
MFoXDTExMDUyMzIzNTk1OVowgeIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xv
cmFkbzEQMA4GA1UEBxQHQm91bGRlcjEoMCYGA1UEChQfSW50ZXJuYXRpb25hbCBC
dXNpbmVzcyBNYWNoaW5lczEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52
ZXJpc2lnbi5jb20vcnBhIChjKTA1MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQg
d3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxGjAYBgNVBAMUEWJsdWVwYWdlcy5p
Ym0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUyh7l1px1jcmNeqf
48bV4DQUKhk1h0uBOn24+HdD5YS0TuYrOVtY7L/oX6jT+2Klaogyq8JdYaREnKJo
NVAHyPoAYUrnCHwguZdK0KRo9EjbP55qGoYw0gtd0zD9f/G03237x+Kz6sVAvnmN
zWeHZ8OT4EfLKDa1pGW/F7QHTQIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1jcmwu
dmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYLYIZI
AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU
b+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9T
VlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5jZXIw
bgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMC
GgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24u
Y29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBXSkgfiiwhOkhj1jZn
NYM+ic3E3niRM7xFuz4nz2vX5L7ThVFlYFlWoOynNyfuVXqMxqrf6f8Y2uVMY5Cj
PohjrjVocgDsN8epFaplIH/HSXj21q385wAajfYBsxzTQqHytUZ0Apva7rpGAG9l
TUYyqA7vxmr/xLTIPzWNk680hwXihFFw8f4vcIvS1riu1AwESUiRQN2BJkTAaRKt
n2qjBWirioah4j8kJWvsH/p1P7OAg63rM9hEWi3t9aQBZ2JKKKwmdTI98J2wG/nC
PkwhK2dIdkBjr+6ICd0Hp8MME0oTpXq8CuiAbEQRcvQ6aUttnDYOnE8dluRPccgf
5BFI
-----END CERTIFICATE-----
Can you help?
What I want to achieve is get the CA (as I did with openssl s_client) and
then
be able to connect giving this CA for validation so I'm sure this
bluepages.ibm.com
is actually the same server that gave me the CA.
--
Tomasz 'Trog' Welman
Software Developer
external: 48-12-628-9449
ITN: 34819449
T/L: 9449
IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091126/e61a7ddb/attachment.htm>
More information about the Gnutls-help
mailing list