Article delegate-en/4067 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4065@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
14 Aug 2008 10:04:17 GMT Monika Schilling <p3ehqbdyi-omp2wg7ncalr.ml@ml.delegate.org>


Yutaka,

On Tuesday August 12 2008 07:08, Yutaka Sato wrote:
> ...
>  |On Monday August 11 2008 10:36, Yutaka Sato wrote:
>  |> ...
>  |> But note that the SSL (TLS) configuration of DeleGate is moving from
>  |> sslway options like -CApath to files under the CERTDIR (like ca-sv.pem)
>  |> after DeleGate/9.8.0 and the recommended way to disable the default
>  |> certificates will be making a special file under CERTDIR.
>  |> <URL:http://www.delegate.org/delegate/Manual.htm?CERTDIR>
>  |
>  |Thank you for the pointer. I checked DeleGate 9.8.3 with the new way of
>  |configuration via files under CERTDIR. Everything works as expected.
>  | There is no need for using the trick with the OpenSSL environment
>  | variable SSL_CERT_DIR as with version 9.7.7.
>
> Is it true? 
> ...

Yes! I just now checked it again. 

Calling DeleGate
================

  DGROOT=/home/ms/.DeleGate/9.8.3/pop.1und1.de
  DGCONF=/home/ms/bin/delegated-pop.1und1.de.conf

  /usr/local/bin/delegated-9.8.3  DGROOT=$DGROOT  +=$DGCONF


Content of the configuration file
=================================
  -vv
  ADMIN=admin@someDomain..
  RESOLV=dns:127.0.0.1
  STLS="fsv,sslway -Vrfy -vd"
  -P127.0.0.1:50110
  SERVER=pop
  REMITTABLE=pop3s
  MOUNT="//*%S/%S pop3s://pop.1und1.de/*%(1)@%(0)"


Content of the directory CERTDIR
================================ 

  ms@r50e-ms:~> ls -l ~/.DeleGate/9.8.3/pop.1und1.de/etc/certs
  total 8
  lrwxrwxrwx 1 ms users   10 2000-00-00 00:0X ca-sv.pem -> vsign1.pem
  -rw-r--r-- 1 ms users 1155 1998-12-21 10:52 thawteCp.pem
  -rw-r--r-- 1 ms users  984 1900-00-00 00:0X vsign1.pem
 ms@r50e-ms:~>

Thus this setup uses the inappropriate certificate "vsign1.pem" instead of the 
appropriate one "thawteCp.pem".


Extract of the log
==================
  ...
  08/14 10:47:51.04 [7513] 1+0: POP C-S: USER test@mschilling..^M
  08/14 10:47:51.04 [7513] 1+0: *** // MOUNTED TO[4] pop3s://pop.1und1.de/ ***
  08/14 10:47:51.04 [7513] 1+0: *** //mschilling.com/test => 
pop3s://pop.1und1.de/test@mschilling.. ***
  08/14 10:47:51.04 [7513] 1+0: PERMITTED: pop3s://pop.1und1.de
  08/14 10:47:51.04 [7513] 1+0: 
dirfopen(/home/ms/.DeleGate/9.8.3/pop.1und1.de/act/servers/cc/pop3s-anonymous-pop.1und1.de-995-0,r+): 
0 [-1]
  08/14 10:47:51.04 [7513] 1+0: ConnectToServer connect 
pop3s://pop.1und1.de:995
  08/14 10:47:51.14 [7513] 1+0: connect[8] ready=1, err=0
  08/14 10:47:51.14 [7513] 1+0: ConnectToServer connected [8] 
{212.227.15.162:995 <- 192.168.0.9:49465} [0.103s]
  08/14 10:47:51.14 [7513] 1+0: KeepAlive[8] = 1
  08/14 10:47:51.14 [7513] 1+0: 96/128 
expsockbuf(10,16384<<109568,24576<<109568)
  08/14 10:47:51.14 [7513] 1+0: 96/128 
expsockbuf(18,24576<<109568,16384<<109568)
  08/14 10:47:51.14 [7513] 1+0: ---tFiltr1 B7C3A8E0 base=BFFAB898 0/0
  08/14 10:47:51.14 [7513] 1+0: thread_started sigmask=4002 <- 5002
  08/14 10:47:51.15 [7513] 1+0: ---tSSLway B7AA8B90S base=B7AA5620 1/1
  08/14 10:47:51.15 [7513] 1+0: --CERTS 
0 /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs
  08/14 10:47:51.15 [7513] 1+0: ## SSLway CFI_TYPE=FSV: -co is assumed
  08/14 10:47:51.15 [7513] 1+0: {t} setCloseOnFork(SSLstart,22)
  08/14 10:47:51.15 [7513] 1+0: {t} setCloseOnFork(SSLstart,23)
  08/14 10:47:51.15 [7513] 1+0: ## SSLway start
  08/14 10:47:51.15 [7513] 1+0: TCP_NODELAY[22] -1213589820 -> 0
  08/14 10:47:51.15 [7513] 1+0: TCP_NODELAY[23] 0 -> 1
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/to-sv.pem
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/me.pem
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/client-cert.pem
  08/14 10:47:51.15 [7513] 1+0: ### [0] client-cert.pem 0
  08/14 10:47:51.15 [7513] 1+0: ### [1] /data1/home/ms/client-cert.pem 0
  08/14 10:47:51.15 [7513] 1+0: ### 
[2] /home/ms/.DeleGate/9.8.3/pop.1und1.de/lib/client-cert.pem 0
  08/14 10:47:51.15 [7513] 1+0: ### [3] /usr/local/bin/client-cert.pem 0
  08/14 10:47:51.15 [7513] 1+0: ### 
[4] /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/client-cert.pem 0
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/ca-sv.pem
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ! /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/ca-sv.pem
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs//home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/ca-sv.pem
  08/14 10:47:51.15 [7513] 1+0: ## 
SSLway --CERTS ? /home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/(null)
  08/14 10:47:51.15 [7513] 1+0: ## SSLway CAs = 
[/home/ms/.DeleGate/9.8.3/pop.1und1.de/etc/certs/ca-sv.pem][]
  08/14 10:47:51.27 [7513] 1+0: ## SSLway depth=0/-1 ok=0 20:"unable to get 
local issuer certificate" /C=DE/ST=Rheinland-Pfalz/L=Montabaur/O=1 und 1 
Internet AG/CN=pop.1und1.de
  08/14 10:47:51.27 [7513] 1+0: ## SSLway connect failed
  7513:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed:s3_clnt.c:894:
  08/14 10:47:51.27 [7513] 1+0: builtin-SSLway: ssl_conn() failed
  08/14 10:47:51.27 [7513] 1+0: ## SSLway ## cleared the cache(0) on CON error
  [7513] SSLway ## cleared the cache(0) on CON error
  (UNIX) 09:47:51.271 [7513] --E-SSLway ErrFin 7513 10 -1
  ...


As you see the certificates under "/etc/ssl/certs", where a copy of the 
appropriate certificate "thawteCp.pem" is stored, are not taken into account. 
As a consequence verification fails.


Cheers, Monika

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V