[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: problem while trying to fetch 0.2.1.8-alpha
On Sun, 21 Dec 2008 22:59:09 -0800 coderman <coderman@xxxxxxxxx>
wrote:
>On Sun, Dec 21, 2008 at 10:31 PM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>> ...
>>>is it possible you have an old openssl cacerts package without the
>>>newer ev signing and root ca's?
>>
>> Beats me.
>
>yup, that appears to be it. (looking at the certs you got).
>
>nothing nefarious, aside from another random root added to your circle
>of trust :)
>
>you can download via:
>https://www.geotrust.com/resources/root-certificates/
>
>you want:
>https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer
wget(1) fails to download the above because the certicate doesn't match.
:-[ So I used firefox to download it via the link from the root-certicates
page in the URL shown earlier above. I then put the downloaded certificate
file into /usr/local/openssl/certs, though I simply guessed that that might be
the correct location. Quite possibly, the correct location may be elsewhere.
>
>verify things look good:
>openssl s_client -CAfile Equifax_Secure_Global_eBusiness_CA-1.cer
>-connect www.torproject.org:443 -showcerts
>...
> Verify return code: 0 (ok)
Nope. Instead I get:
Script started on Wed Dec 31 02:12:49 2008
[[1mhellas[m] 97 % openssl s_client -CAfile Equifax_Secure_Global_eBusiness_CA-1.cer -connect www.torproject.org:443 -showcerts
35810:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:104:fopen('Equifax_Secure_Global_eBusiness_CA-1.cer','r')
35810:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:107:
35810:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274:
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=MA/L=Dedham/O=The Tor Project, Inc./OU=Anonymity Online/CN=*.torproject.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
-----BEGIN CERTIFICATE-----
MIIGVzCCBT+gAwIBAgIQBEH132gMQYiIAKbUe1IHBzANBgkqhkiG9w0BAQUFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJEaWdpQ2VydCBHbG9iYWwgQ0EwHhcN
MDgxMjI3MDAwMDAwWhcNMTAwMzAxMjM1OTU5WjCBgTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAk1BMQ8wDQYDVQQHEwZEZWRoYW0xHjAcBgNVBAoTFVRoZSBUb3IgUHJv
amVjdCwgSW5jLjEZMBcGA1UECxMQQW5vbnltaXR5IE9ubGluZTEZMBcGA1UEAxQQ
Ki50b3Jwcm9qZWN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu/zF
wQPQQ5znAF25kxcf1OGHUhdJExQBsvfi2kov0L/tqCw53++zJ5iQjIfTx+hbixEJ
Iv+u6XDu9WKl1FtyZkV/CcrRp0oCp07SDK1uRd09Chvws7MGJi4I+rcIzhu3tNDL
XQHMcLjz5v+2cdnA/jKKWbeUatMduYSaTrM+09kCAwEAAaOCA3EwggNtMB8GA1Ud
IwQYMBaAFKfHE6B6ATyd74JIgkjVc1G2ElYqMB0GA1UdDgQWBBSQiwDSfsf9YjFW
+CkwmFlmYmSbbjArBgNVHREEJDAighAqLnRvcnByb2plY3Qub3Jngg50b3Jwcm9q
ZWN0Lm9yZzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL3d3dy5kaWdpY2VydC5j
b20vQ0FDZXJ0cy9EaWdpQ2VydEdsb2JhbENBLmNydDAOBgNVHQ8BAf8EBAMCBaAw
DAYDVR0TAQH/BAIwADB/BgNVHR8EeDB2MDmgN6A1hjNodHRwOi8vY3JsMy5kaWdp
Y2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQS0yMDA4ay5jcmwwOaA3oDWGM2h0dHA6
Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBLTIwMDhrLmNybDCC
AcYGA1UdIASCAb0wggG5MIIBtQYLYIZIAYb9bAEDAAEwggGkMDoGCCsGAQUFBwIB
Fi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRt
MIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABo
AGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0
AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBn
AGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBs
AHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABp
AGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABh
AHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABi
AHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAHX868ZotDi+MRdYaKWJ5Ts8Abrqu
ah3KNBjfOSkD1JE7H+B0Mb2rC+ccdgJBfDFgJ7DLoGrjrHTJ86xznpf0xaWQCvPr
jOhZEosnz3CgPDt1UOv028Sg7g+lt7DjS16sTObk4IGHsLHf0UAR+o5TerjucvnJ
4S188KRjprVFP8ls7H98C5JGYM/buIJMkdi7IjvCuDAvsKmWHZKKvqv3hoU2h4X5
cgzWowWVtQ1NyHIC7GLF+ytSMS7vbMpGrP4pbjZls7vzKM1suMQ5ALTSP6YbjNkV
TTHTXaCI/MzwIlWqhiJO6UVMP3jnAPHEU7w/eFj9CgltAH63VpnNr1djHA==
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
-----BEGIN CERTIFICATE-----
MIIGJDCCBY2gAwIBAgIEQoaroDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjA3
MTQxNzEwMjhaFw0xNDA3MTQxNzQwMjhaMFwxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xGzAZBgNV
BAMTEkRpZ2lDZXJ0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMQ8vMy66mLmnkIjr7SyEa5ijdmh04/MFHIZ7Zn2/d5du1nAsMKvaplS
lVcLNf/hhvqvosPBBWUnIHYvClQlfOor3ZVBV5sPO89H6AEGjMVESPwHLvNygzBR
lJ5pOoOph5AU2V7EoniPwT7UGWEOGufcGpUgQb5vF9q4HEHumLD61x01PxanBCgT
XT0FdZouhp4ssBeHIFhX7+HqVWC4LHAhrCljDBD8YLz51Rw3ZNW0+x6rJjlGiKTL
zTBnwCZ55cpo+SLX5dKxu0hMmwuYW0KS5dLtDkcw+t0nVmNqpQHHjq/wTjsbVRVE
1T5NVx7hkeq4oI/OOmNflom6CD7+RLsCAwEAAaOCAwUwggMBMBIGA1UdEwEB/wQI
MAYBAf8CAQAwggEyBgNVHSAEggEpMIIBJTCCASEGCSqGSIb2fQdLAjCCARIwJgYI
KwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvY3BzMIHnBggrBgEFBQcC
AjCB2hqB10ZvciB1c2Ugc29sZWx5IHdpdGggU1NMIGFuZCBTL01JTUUgY2VydGlm
aWNhdGVzIGlzc3VlZCBieSBEaWdpY2VydCwgSW5jLiB0byBhdXRob3JpemVkIHN1
YnNjcmliZXJzLg0KRE9FUyBOT1QgcmVwcmVzZW50IGFueSBlbmRvcnNlbWVudCBi
eSBFbnRydXN0IEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMgYXMgdG8gdGhlIGlkZW50
aXR5IG9mIGFueSBjZXJ0aWZpY2F0ZSBob2xkZXIuMDEGA1UdJQQqMCgGCCsGAQUF
BwMBBggrBgEFBQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIIBGAYDVR0fBIIBDzCC
AQswKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvc2VydmVyMS5jcmwwgd6g
gduggdikgdUwgdIxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtFbnRydXN0Lm5ldDE7
MDkGA1UECxMyd3d3LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5IHJlZi4gKGxp
bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0
ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwCwYDVR0PBAQDAgEGMB8GA1Ud
IwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMB0GA1UdDgQWBBSnxxOgegE8ne+C
SIJI1XNRthJWKjAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIAgTANBgkqhkiG9w0B
AQUFAAOBgQBK8bPOaGnjWKNh7bYWyJOxGDA+4HLfTz3iTeG4/D/ByeNFqV2pwdqj
5TbXjtYPrTavbLxE5ppGlKYRoNBS59pVsPYchftjUnu2mY8f4stHZKLrCGXmUdsc
S21/U58eDTGT1DBdHm4BBydgXbvT9ONsHSAPdSozEKe3idepFxQyAw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=MA/L=Dedham/O=The Tor Project, Inc./OU=Anonymity Online/CN=*.torproject.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
---
No client certificate CA names sent
---
SSL handshake has read 3770 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 89F5EF1F3318F41224BB552C61488BB22F62392A95691DE739899583F3AD189C
Session-ID-ctx:
Master-Key: 9E22C87904D89A2C672EE02955ADA754BB6E2797A37EDDF5E66257515AD8426C274FA0D4CCED54B8AAB1755519E7AB2D
Key-Arg : None
Start Time: 1230711226
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
q
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.torproject.org/">here</a>.</p>
<hr>
<address>Apache Server at www.torproject.org Port 443</address>
</body></html>
closed
[[1mhellas[m] 98 % exit
exit
Script done on Wed Dec 31 02:14:03 2008
>
>and to use this with wget:
> wget --ca-certificate=Equifax_Secure_Global_eBusiness_CA-1.cer
>https://www.torproject.org/...
>
That fails as before. Oh, well. I guess I can fetch it in the clear. :-(
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************