![]() ![]() Here is an example of a cipher list specification that requires authenticated empheral ECDH key agreement (ECDH), RSA for authentication and only cipher suites that are considered of "high" encryption: openssl s_client -cipher ECDH aRSA HIGH -connect :443 The above list specifies two specific ciphers. Example: openssl s_client -cipher ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384 \ You can pass multiple ciphers using a space, comma or colon separator. This is not a single item, but a specification and can also be used for the nginx ssl_ciphers option, or the Apache SSLCipherSuite option. I would disagree with them, but (as mentioned above) while most SSL checkers either don't check port 995 or succeed during the attempt, I found this page that produces SSL error 7.As Steffen Ullrich has mentioned, you can pass a list of ciphers to the -cipher option of s_client. Nevertheless, Fog Creek seems to think that problem lies with the cert, because they've tried adding the cert to mono's Trust store without success. I can also use the -CAfile option successfully after downloading the CAfile cert directly from GeoTrust. Openssl s_client -CApath /etc/ssl/certs -showcerts -connect :995 CONNECTED(00000003)ĭepth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authorityĭepth=1 C = US, O = Google Inc, CN = Google Internet Authority G2ĭepth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = Openssl s_client -CApath /etc/ssl/certs -showcerts -connect :995 CONNECTED(00000003)ĭepth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CAĭepth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CAĭepth=0 serialNumber = tG0GnsyAUkdX7DEo15ylNBjQJqAWZ/dD, OU = 4159320284, OU = See (c)14, OU = Domain Control Validated - RapidSSL(R), CN = I have been trying to understand if this is meaningful, because when the -CApath option is provided, the commands do not produce any errors: Verify return code: 19 (self signed certificate in certificate chain) New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL handshake has read 3876 bytes and written 319 bytes Issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA Subject=/serialNumber=tG0GnsyAUkdX7DEo15ylNBjQJqAWZ/dD/OU=4159320284/OU=See (c)14/OU=Domain Control Validated - RapidSSL(R)/CN= Verify error:num=19:self signed certificate in certificate chainĠ s:/serialNumber=tG0GnsyAUkdX7DEo15ylNBjQJqAWZ/dD/OU=4159320284/OU=See (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=ġ s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA OK Gpop ready for requests from 69.3.61.10 c13mb42148040pdjĮcho "" | openssl s_client -showcerts -connect :995 Verify return code: 20 (unable to get local issuer certificate) SSL handshake has read 3236 bytes and written 435 bytes Issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 ![]() ![]() Subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN= I:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority I:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CAĢ s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA I:/C=US/O=Google Inc/CN=Google Internet Authority G2ġ s:/C=US/O=Google Inc/CN=Google Internet Authority G2 Verify error:num=20:unable to get local issuer certificateĠ s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN= I have been working with both providers in an attempt to pinpoint the problem, but have finally reached a dead-end with both, since I don't know enough about SSL Certificates to be able to guide either provider to understand where the fault lies.ĭuring the investigation, my attention was drawn to the difference in output of the following two commands (I have removed the certificates from the output for readability):Įcho "" | openssl s_client -showcerts -connect :995ĭepth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA Thunderbird and Outlook neither does most SSL checker sites that are capable of checking odd ports except this one. ![]() Ever since our email provider changed their SSL certificate, a POP3 client based on mono refuses to connect to their secure POP server to download emails. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |