gnutls is unable to get x509 certificate

Tomasz Welman tomasz.welman at pl.ibm.com
Thu Nov 26 10:39:53 CET 2009 

Simon Josefsson <simon at josefsson.org> wrote on 11/20/2009 08:57:06 AM:

> Simon Josefsson <simon at josefsson.org> 
> 11/20/2009 08:57 AM
> 
> To
> 
> Tomasz Welman/Poland/IBM at IBMPL
> 
> cc
> 
> help-gnutls at gnu.org
> 
> Subject
> 
> Re: gnutls is unable to get x509 certificate
> 
> Tomasz Welman <tomasz.welman at pl.ibm.com> writes:
> 
> > Hi,
> >
> > The problem is that I am using LDAP, and ldaps://, but it doesn't 
work.
> > With the help op openldap guys, I've tracked down the issue to be 
gnutls 
> > problem.
> >
> > The full description (with (hopefully all of the) debugging info) is 
here:
> >
> > http://www.openldap.org/lists/openldap-technical/200911/msg00039.html
> 
> The IBM server is buggy, this has been debugged before, see complete
> discussion and workarounds:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477
> 

Ok, that helped a bit.

When I'm doing:
gnutls-cli -p 636 bluepages.ibm.com --priority 
NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP

it's working, but if I am giving it the CA certificate obtained this way:
openssl s_client -host bluepages.ibm.com -port 636 > bp.cert

and then:
twelman at darthvader:~$ gnutls-cli --x509cafile bp.cert -p 636 
bluepages.ibm.com --priority 
NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-CTYPE-OPENPGP   
it fails with message: 
Processed 1 CA certificate(s).    
Resolving 'bluepages.ibm.com'...    
Connecting to '9.17.186.253:636'...    
- Certificate type: X.509    
 - Got a certificate list of 3 certificates.     
 - Certificate[0] info:    
  - subject `C=US,ST=Colorado,L=Boulder,O=International Business 
Machines,OU=Terms of use at www.verisign.com/rpa (c)05,OU=Terms of use at 
www.verisign.com/rpa (c)05,CN=bluepages.ibm.com', issuer 
`C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at 
https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA', 
RSA key 1024 bits, signed using RSA-SHA, activated `2008-03-19 00:00:00 
UTC', expires `2011-05-23 23:59:59 UTC', SHA-1 fingerprint 
`b4ed74f52d5de2efac31cbac286ef20bccaba87a'    
 - Certificate[1] info:
  - subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of 
use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure 
Server CA', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority', RSA key 2048 bits, signed using RSA-SHA, 
activated `2005-01-19 00:00:00 UTC', expires `2015-01-18 23:59:59 UTC', 
SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5'
 - Certificate[2] info:
  - subject `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public 
Primary Certification Authority', RSA key 1024 bits, signed using RSA-MD2 
(broken!), activated `1996-01-29 00:00:00 UTC', expires `2028-08-01 
23:59:59 UTC', SHA-1 fingerprint 
`742c3192e607e424eb4549542be1bbc53e6174e2'
- The hostname in the certificate matches 'bluepages.ibm.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...

The bp.cert looks like this:
twelman at darthvader:~$ cat bp.cert
-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgIQQqowfydfbhGjnIrdG/yoqTANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MDMxOTAwMDAw
MFoXDTExMDUyMzIzNTk1OVowgeIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xv
cmFkbzEQMA4GA1UEBxQHQm91bGRlcjEoMCYGA1UEChQfSW50ZXJuYXRpb25hbCBC
dXNpbmVzcyBNYWNoaW5lczEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52
ZXJpc2lnbi5jb20vcnBhIChjKTA1MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQg
d3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxGjAYBgNVBAMUEWJsdWVwYWdlcy5p
Ym0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUyh7l1px1jcmNeqf
48bV4DQUKhk1h0uBOn24+HdD5YS0TuYrOVtY7L/oX6jT+2Klaogyq8JdYaREnKJo
NVAHyPoAYUrnCHwguZdK0KRo9EjbP55qGoYw0gtd0zD9f/G03237x+Kz6sVAvnmN
zWeHZ8OT4EfLKDa1pGW/F7QHTQIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1jcmwu
dmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYLYIZI
AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU
b+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9T
VlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5jZXIw
bgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMC
GgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24u
Y29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBXSkgfiiwhOkhj1jZn
NYM+ic3E3niRM7xFuz4nz2vX5L7ThVFlYFlWoOynNyfuVXqMxqrf6f8Y2uVMY5Cj
PohjrjVocgDsN8epFaplIH/HSXj21q385wAajfYBsxzTQqHytUZ0Apva7rpGAG9l
TUYyqA7vxmr/xLTIPzWNk680hwXihFFw8f4vcIvS1riu1AwESUiRQN2BJkTAaRKt
n2qjBWirioah4j8kJWvsH/p1P7OAg63rM9hEWi3t9aQBZ2JKKKwmdTI98J2wG/nC
PkwhK2dIdkBjr+6ICd0Hp8MME0oTpXq8CuiAbEQRcvQ6aUttnDYOnE8dluRPccgf
5BFI
-----END CERTIFICATE-----


Can you help?

What I want to achieve is get the CA (as I did with openssl s_client) and 
then
be able to connect giving this CA for validation so I'm sure this 
bluepages.ibm.com
is actually the same server that gave me the CA.


--
Tomasz 'Trog' Welman
Software Developer
external: 48-12-628-9449
ITN: 34819449
T/L: 9449

IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091126/e61a7ddb/attachment.htm>

More information about the Gnutls-help mailing list