Intermediate Certificate problem

Simon Brown simon at cliffestones.demon.co.uk
Mon Jul 5 15:30:10 CEST 2010 

Hi,

I use the Wanderlust email client and the Debian packager, Tatsuya has
recently changed to using GNU TLS from OpenSSL. This has caused a
problem for me as an IMAP server I use seems to have a certificate
problem which either didn't exist before or was ignored by OpenSSL.

The instructions to help diagnose the problem given by Tatsuya the
packager are shown below with the output. The server's administrators
claim there is not a problem as Thunderbird on Win32 has no
problem. Thunderbird does not include the Educational certificate in
its root store

I have worked around the problem by adding the intermediate
certificate to my local store. I would none the less be very grateful
for any help in locating the cause of the problem.

Thanks

Simon

gnutls-cli --port 993 --x509cafile /etc/ssl/certs/ca-certificates.crt imap.student.gla.ac.uk
Resolving 'imap.student.gla.ac.uk'...
Connecting to '130.209.14.155:993'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `C=GB,ST=Scotland,L=Glasgow,O=University of Glasgow,OU=IT Services,CN=imap.gla.ac.uk', issuer `C=BE,O=Cybertrust,OU=Educational CA,CN=Cybertrust Educational CA', RSA key 2048 bits, signed using RSA-SHA, activated `2009-08-12 14:57:14 UTC', expires `2012-08-12 14:57:14 UTC', SHA-1 fingerprint `41655d6147b0ddaa75cfab94a8a80a4f43ab9091'
 - Certificate[1] info:
  - subject `C=BE,O=Cybertrust,OU=Educational CA,CN=Cybertrust Educational CA', issuer `C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root', RSA key 2048 bits, signed using RSA-SHA, activated `2006-03-14 20:30:00 UTC', expires `2013-03-14 23:59:00 UTC', SHA-1 fingerprint `60983654d7ec611d76c2cd5557ca47ad3930c9ca'
- The hostname in the certificate matches 'imap.student.gla.ac.uk'.
- Peer's certificate issuer is not a CA
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...

More information about the Gnutls-help mailing list