On 14/12/2016 09:42, 杨俊 wrote:
Hi openssl-er,
> Does cacert.pem contain the CA certificate that issued the certificate for
> https://curl.haxx.se <https://curl.haxx.se/> ?
I think the cacert.pem is right. Because, I can get the ok result in
my PC by this command:
> If your embedded file system does not support symlinks, you can instead
> rename the PEM files to the names of the symlinks that c_rehash generates
> on a more full-blown development computer.
Just to be sure (sometimes OpenSSL checks its default -CApath even
if you specify a -CAfile) try this command on the development machine:
openssl x509 -subject -noout -in cacert.pem
Compare to the deepest value from the screenshot above.
I don't know if my way is right. I do it like this:
1. In my device, I can't use the c_rehash. It said no perl. I input
the command like this:
/tmp # ./openssl x509 -hash -fingerprint -noout -in
/home/georgeyang/workspace/s
peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6
SHA1
Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
2. input command:
/etc/ssl/certs # ln -s
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6.0
/etc/ssl/certs # ls -l
total 511
lrwxrwxrwx 1 root root 88 Jan 1 06:53 5ad8a5d6.0 ->
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
Is this right?
3. the result is still NG
/tmp # ./openssl s_client -connect curl.haxx.se:443
<http://curl.haxx.se:443> -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=21:unable to verify the first certificate
verify return:1
---
4. NG again
CONNECTED(00000003)
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=anja.haxx.se <http://anja.haxx.se>
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
---
-----END CERTIFICATE-----
subject=/CN=anja.haxx.se <http://anja.haxx.se>
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C
Session-ID-ctx:
Master-Key:
61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
---
Start Time: 24915
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users