On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote:
> So initial testing shows that this is actually a problem with OpenSSL,
> or at least, it is OpenSSL refusing to connect to these servers:
>
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host cas.ucdavis.edu -port 443
> CONNECTED(00000003)
> 1787:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host server.db.kvk.nl -port 443
> CONNECTED(00000003)
> 1788:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:602:
Note that if you force openssl to use ssl3 via -ssl3, a successful
connection is made. However, both warn of a self-signed certificate in
the chain, though it appears to be the top level certificate:
$ openssl s_client -host server.db.kvk.nl -port 443 -ssl3
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=NL/ST=Utrecht/L=Woerden/O=Kamer van Koophandel Nederland/OU=Technisch Beheer/CN=SERVER.DB.KVK.NL
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
(server.db.kvk.nl's certificate is signed by Equifax, not Verisign.)
But perhaps the self-signed certificate thing is a red-herring, as on
hardy (0.9.8g-4ubuntu3.12) and lucid (0.9.8k-7ubuntu8.4), at least,
connecting works, but still gives the warning.
On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote: amd64)root@ clint-MacBookPr o:/home/ clint/pkg/ php5/bzr/ natty-php- ssl-fix# openssl s_client -host cas.ucdavis.edu -port 443 140773F2: SSL routines: SSL23_GET_ SERVER_ HELLO:sslv3 alert unexpected message: s23_clnt. c:602: amd64)root@ clint-MacBookPr o:/home/ clint/pkg/ php5/bzr/ natty-php- ssl-fix# openssl s_client -host server.db.kvk.nl -port 443 1407741A: SSL routines: SSL23_GET_ SERVER_ HELLO:tlsv1 alert decode error:s23_ clnt.c: 602:
> So initial testing shows that this is actually a problem with OpenSSL,
> or at least, it is OpenSSL refusing to connect to these servers:
>
> (natty-
> CONNECTED(00000003)
> 1787:error:
> (natty-
> CONNECTED(00000003)
> 1788:error:
Note that if you force openssl to use ssl3 via -ssl3, a successful
connection is made. However, both warn of a self-signed certificate in
the chain, though it appears to be the top level certificate:
$ openssl s_client -host server.db.kvk.nl -port 443 -ssl3 ST=Utrecht/ L=Woerden/ O=Kamer van Koophandel Nederland/ OU=Technisch Beheer/ CN=SERVER. DB.KVK. NL OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www. verisign. com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www. verisign. com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=NL/
i:/O=VeriSign Trust Network/
1 s:/O=VeriSign Trust Network/
i:/C=
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=
(server.db.kvk.nl's certificate is signed by Equifax, not Verisign.)
But perhaps the self-signed certificate thing is a red-herring, as on 4ubuntu3. 12) and lucid (0.9.8k- 7ubuntu8. 4), at least,
hardy (0.9.8g-
connecting works, but still gives the warning.
-- NxNW.org/ ~steve/
Steve Beattie
<email address hidden>
http://