1 |
Hi, |
2 |
|
3 |
ich habe gerade ein kleines Verständnisproblem. Cacert.org ist in den |
4 |
Zertifikaten von ca-certificates enthalten. Leider erhalte ich im Brwoser eine |
5 |
Warnung, das Cacert.org kein vertrauenwüdriges Zertifikat hätte. Kurzer Test |
6 |
fördert folgendes zu Tage: |
7 |
|
8 |
kohni /etc/ssl # openssl s_client -crlf -connect www.cacert.org:443 |
9 |
CONNECTED(00000003) |
10 |
depth=0 /C=AU/ST=NSW/L=Sydney/O=CAcert |
11 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
12 |
verify error:num=20:unable to get local issuer certificate |
13 |
verify return:1 |
14 |
depth=0 /C=AU/ST=NSW/L=Sydney/O=CAcert |
15 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
16 |
verify error:num=27:certificate not trusted |
17 |
verify return:1 |
18 |
depth=0 /C=AU/ST=NSW/L=Sydney/O=CAcert |
19 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
20 |
verify error:num=21:unable to verify the first certificate |
21 |
verify return:1 |
22 |
--- |
23 |
Certificate chain |
24 |
0 s:/C=AU/ST=NSW/L=Sydney/O=CAcert |
25 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
26 |
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing |
27 |
Authority/emailAddress=support@××××××.org |
28 |
--- |
29 |
Server certificate |
30 |
-----BEGIN CERTIFICATE----- |
31 |
MIIFVzCCAz+gAwIBAgIDCKU1MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv |
32 |
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ |
33 |
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y |
34 |
dEBjYWNlcnQub3JnMB4XDTEwMDUxNDE0NTk0OFoXDTEyMDUxMzE0NTk0OFowfjEL |
35 |
MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD |
36 |
VQQKEwtDQWNlcnQgSW5jLjEXMBUGA1UEAxMOd3d3LmNhY2VydC5vcmcxITAfBgkq |
37 |
hkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD |
38 |
ggEPADCCAQoCggEBAM3iqo3YIRO2BaAEEoZ/Ui8efBtl44PlQO71ubOvhc7lMU/W |
39 |
SC/Vuw36z6O8WwvX2Lgx2gwYwJ94JvyHCAmNNQc0ohHHk7jNOeOieJKBX3kwCPnQ |
40 |
SPQJpIZwR6gcpDsblEHADjq0Qugjdn5RTAg1v65xd8Y4yoalkETgtrncTZ1fkhpg |
41 |
AVEYcx38JeLL3IHoDgTQH+M29XyIN2NJEnClkdoGftZlPCKEvd36T/kl6vrEm0Vy |
42 |
ZV9orUAKG116J+Iwn+qFSgiz40gtDrpz9raEyixM72DqfY/4Gmgs1LrN19LEPu7u |
43 |
IGvs/V8FqZ5twpfdctZq0iaq9fIGvWa1q9quvC0CAwEAAaOB4jCB3zAMBgNVHRMB |
44 |
Af8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB |
45 |
BgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB |
46 |
BQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMFcGA1UdEQRQME6CDCouY2Fj |
47 |
ZXJ0Lm9yZ4IKY2FjZXJ0Lm9yZ4IMKi5jYWNlcnQubmV0ggpjYWNlcnQubmV0ggwq |
48 |
LmNhY2VydC5jb22CCmNhY2VydC5jb20wDQYJKoZIhvcNAQEFBQADggIBAErVgsd2 |
49 |
7hZsBSMG+BbCHN9PUbJYAg7JMNYiIaPIsZGFUbuYGyqlLye5muLtMxTHzBfXM25+ |
50 |
ECwYy9jLpkzW7qz1dC2Glx4h6Gh6+//Klwa7rJ7M9EFuhMogY23YbCJMC2m1gGtW |
51 |
Wer3kgQBbRI3LxiIf7HYbIdWGEJ2d1R0QjKPgQLn3gh3b9A35nptBQu/Zk3M/JzO |
52 |
WV4WWG8TomBfLvYuG+tntZCrRCvnFZqN/+68qK74VVFR/wpbdnu+AEX7j44xhnGl |
53 |
Wvye0S3zKQHnf0L01nMA4HXj1Z8+TyMMUNENF3/Of4SdDUnyFYjmUQAhZ49PHw1A |
54 |
prPKZ7fijE+twQlHTPniDndgtWRU/m4IQadost2tgpZPZHiwNWiSeEgMMwwthIpa |
55 |
WvLJFmUipxyxkqVKmb6r8geqAiN9ScvPkKX4x157FgxFd5nQ4ZnTjZ8Zg0vQDHaF |
56 |
rNpELfvyLHppUiwOGt5NJmoSKyeII5k+80eAL/2Tngi1vM2rCznebGYa3LC7UoIT |
57 |
zjX4N3bAcuq3l9UaGeFSp5D8oGv29DNC7sMNRJXtlGcLtjXJgJzaBSb0bsh468ri |
58 |
nU4UDmnslHE2LEOkaswkGpq+eaxH/Cp5eE/rh7m+vLxm1jcuUnqNiJ+MmLJXMbFr |
59 |
G6GvDP69u3UJgK5X/P6+WgXFSGEDJWb8gxUO |
60 |
-----END CERTIFICATE----- |
61 |
subject=/C=AU/ST=NSW/L=Sydney/O=CAcert |
62 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
63 |
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing |
64 |
Authority/emailAddress=support@××××××.org |
65 |
--- |
66 |
No client certificate CA names sent |
67 |
--- |
68 |
SSL handshake has read 2031 bytes and written 343 bytes |
69 |
--- |
70 |
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA |
71 |
Server public key is 2048 bit |
72 |
Secure Renegotiation IS NOT supported |
73 |
Compression: NONE |
74 |
Expansion: NONE |
75 |
SSL-Session: |
76 |
Protocol : TLSv1 |
77 |
Cipher : DHE-RSA-AES256-SHA |
78 |
Session-ID: |
79 |
Session-ID-ctx: |
80 |
Master-Key: |
81 |
98AD9021BD3BA8AA6053BC6E7CCC88048E819F926285CF8396A40330D6EAA0A94024CC6DB8A255A9535B3AB6B8CFDB3C |
82 |
Key-Arg : None |
83 |
Start Time: 1279762275 |
84 |
Timeout : 300 (sec) |
85 |
Verify return code: 21 (unable to verify the first certificate) |
86 |
--- |
87 |
^C |
88 |
kohni /etc/ssl # |
89 |
kohni /etc/ssl # openssl s_client -crlf -CApath /etc/ssl/certs/ -connect |
90 |
www.cacert.org:443CONNECTED(00000003) |
91 |
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing |
92 |
Authority/emailAddress=support@××××××.org |
93 |
verify return:1 |
94 |
depth=0 /C=AU/ST=NSW/L=Sydney/O=CAcert |
95 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
96 |
verify return:1 |
97 |
--- |
98 |
Certificate chain |
99 |
0 s:/C=AU/ST=NSW/L=Sydney/O=CAcert |
100 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
101 |
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing |
102 |
Authority/emailAddress=support@××××××.org |
103 |
--- |
104 |
Server certificate |
105 |
-----BEGIN CERTIFICATE----- |
106 |
MIIFVzCCAz+gAwIBAgIDCKU1MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv |
107 |
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ |
108 |
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y |
109 |
dEBjYWNlcnQub3JnMB4XDTEwMDUxNDE0NTk0OFoXDTEyMDUxMzE0NTk0OFowfjEL |
110 |
MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD |
111 |
VQQKEwtDQWNlcnQgSW5jLjEXMBUGA1UEAxMOd3d3LmNhY2VydC5vcmcxITAfBgkq |
112 |
hkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD |
113 |
ggEPADCCAQoCggEBAM3iqo3YIRO2BaAEEoZ/Ui8efBtl44PlQO71ubOvhc7lMU/W |
114 |
SC/Vuw36z6O8WwvX2Lgx2gwYwJ94JvyHCAmNNQc0ohHHk7jNOeOieJKBX3kwCPnQ |
115 |
SPQJpIZwR6gcpDsblEHADjq0Qugjdn5RTAg1v65xd8Y4yoalkETgtrncTZ1fkhpg |
116 |
AVEYcx38JeLL3IHoDgTQH+M29XyIN2NJEnClkdoGftZlPCKEvd36T/kl6vrEm0Vy |
117 |
ZV9orUAKG116J+Iwn+qFSgiz40gtDrpz9raEyixM72DqfY/4Gmgs1LrN19LEPu7u |
118 |
IGvs/V8FqZ5twpfdctZq0iaq9fIGvWa1q9quvC0CAwEAAaOB4jCB3zAMBgNVHRMB |
119 |
Af8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB |
120 |
BgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB |
121 |
BQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMFcGA1UdEQRQME6CDCouY2Fj |
122 |
ZXJ0Lm9yZ4IKY2FjZXJ0Lm9yZ4IMKi5jYWNlcnQubmV0ggpjYWNlcnQubmV0ggwq |
123 |
LmNhY2VydC5jb22CCmNhY2VydC5jb20wDQYJKoZIhvcNAQEFBQADggIBAErVgsd2 |
124 |
7hZsBSMG+BbCHN9PUbJYAg7JMNYiIaPIsZGFUbuYGyqlLye5muLtMxTHzBfXM25+ |
125 |
ECwYy9jLpkzW7qz1dC2Glx4h6Gh6+//Klwa7rJ7M9EFuhMogY23YbCJMC2m1gGtW |
126 |
Wer3kgQBbRI3LxiIf7HYbIdWGEJ2d1R0QjKPgQLn3gh3b9A35nptBQu/Zk3M/JzO |
127 |
WV4WWG8TomBfLvYuG+tntZCrRCvnFZqN/+68qK74VVFR/wpbdnu+AEX7j44xhnGl |
128 |
Wvye0S3zKQHnf0L01nMA4HXj1Z8+TyMMUNENF3/Of4SdDUnyFYjmUQAhZ49PHw1A |
129 |
prPKZ7fijE+twQlHTPniDndgtWRU/m4IQadost2tgpZPZHiwNWiSeEgMMwwthIpa |
130 |
WvLJFmUipxyxkqVKmb6r8geqAiN9ScvPkKX4x157FgxFd5nQ4ZnTjZ8Zg0vQDHaF |
131 |
rNpELfvyLHppUiwOGt5NJmoSKyeII5k+80eAL/2Tngi1vM2rCznebGYa3LC7UoIT |
132 |
zjX4N3bAcuq3l9UaGeFSp5D8oGv29DNC7sMNRJXtlGcLtjXJgJzaBSb0bsh468ri |
133 |
nU4UDmnslHE2LEOkaswkGpq+eaxH/Cp5eE/rh7m+vLxm1jcuUnqNiJ+MmLJXMbFr |
134 |
G6GvDP69u3UJgK5X/P6+WgXFSGEDJWb8gxUO |
135 |
-----END CERTIFICATE----- |
136 |
subject=/C=AU/ST=NSW/L=Sydney/O=CAcert |
137 |
Inc./CN=www.cacert.org/emailAddress=support@××××××.org |
138 |
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing |
139 |
Authority/emailAddress=support@××××××.org |
140 |
--- |
141 |
No client certificate CA names sent |
142 |
--- |
143 |
SSL handshake has read 2031 bytes and written 343 bytes |
144 |
--- |
145 |
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA |
146 |
Server public key is 2048 bit |
147 |
Secure Renegotiation IS NOT supported |
148 |
Compression: NONE |
149 |
Expansion: NONE |
150 |
SSL-Session: |
151 |
Protocol : TLSv1 |
152 |
Cipher : DHE-RSA-AES256-SHA |
153 |
Session-ID: |
154 |
Session-ID-ctx: |
155 |
Master-Key: |
156 |
AE3DBB6551AC437D845CE291F22DD1E10F7357256F9DA197749A0215F350D9E65065451D63CDC41AAE7615752A885E44 |
157 |
Key-Arg : None |
158 |
Start Time: 1279762313 |
159 |
Timeout : 300 (sec) |
160 |
Verify return code: 0 (ok) |
161 |
--- |
162 |
^C |
163 |
kohni /etc/ssl # |
164 |
kohni /etc/ssl # eix ^openssl$ |
165 |
[I] dev-libs/openssl |
166 |
Available versions: |
167 |
(0) 0.9.8o ~1.0.0a |
168 |
(0.9.8) ~0.9.8o-r1 |
169 |
{bindist gmp kerberos rfc3779 sse2 test zlib} |
170 |
Installed versions: 0.9.8o(03:01:54 04.06.2010)(gmp sse2 zlib -bindist - |
171 |
kerberos -test) |
172 |
Homepage: http://www.openssl.org/ |
173 |
Description: Toolkit for SSL v2/v3 and TLS v1 |
174 |
|
175 |
kohni /etc/ssl # |
176 |
|
177 |
Prinzipiell geht es also, sofern openssl weiß, wo es die CA Zertifikate |
178 |
findet. Nur, wie sage ich ihm das automagisch? /etc/ssl/openssl.cnf ist nicht |
179 |
sehr hilfreich... |
180 |
|
181 |
Welche Doku/Einstallung habe ich gerade übersehen? |
182 |
|
183 |
-- |
184 |
MfG Jan |