Ok so I downloaded the intermediate ca cert thing onto my local machine as intca.cer. Then I ran this command:
:~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995 CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
Server certificate -----BEGIN CERTIFICATE----- MIIFVDCCBDygAwIBAgIQP9qDpsFNkAq3EZsq5A0jTjANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MTIxMTAwMDAw MFoXDTA5MTIxMTIzNTk1OVowgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo aW5ndG9uMQ8wDQYDVQQHFAZSZW50b24xJjAkBgNVBAoUHVgxMCBXaXJlbGVzcyBU ZWNobm9sb2d5LCBJbmMuMR8wHQYDVQQLFBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5 MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDUxFDASBgNVBAMUC3BvcC54MTAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJGXMMLkbyNDIVzNv4IB00qqEp8Pg5f2zWU8uzL52w37JHLmAzfExu HU+6vQqMip65QEEefqRh9rrsKWzMHC3ecQ1H3Ca6CDxwSbGLk1FjWafDLK2Ms1+w chOkym9RvURMGn8IKQag1KQ8mZtPGM5z+50O6A6YHaLQUNVGW1mJ8wIDAQABo4IB 0zCCAc8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYz aHR0cDovL1NWUlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUu Y3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwHwYDVR0jBBgwFoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYB BQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w QwYIKwYBBQUHMAKGN2h0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9T VlJTZWN1cmUyMDA1LWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB BQUAA4IBAQA70R4JDVgQF7Rz/l26G0smMR2qjj3iOfggXOiE1zHVtyzWb/Q2yrIV kTkC558w73rE0/ScqFKa2HDHm3d6OHWXNRgr+2MW8rtuwFPaPko6mYkWeRE4a3HP VFE2iNOYfx5n5yovQOUbKOKn9jBnJu8L7+mVjmtdLTMLo6yKynrxCMOXrmHI4AkK QZgySYbm4JqkTz8+CPnT75bXAJdsFmqMiq3wTKDI2GbEGdCLEupCEEMcDi2mb/zA UQbon3cgfDGfkCKd91SzJT86c1IGStHNiuwgOHsM/cAmTobICdBeooBBGQlGZPZ1 E6ehkR3x1HVzD53zpE/rH4ejjhHZ3I02 -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
No client certificate CA names sent
SSL handshake has read 1964 bytes and written 317 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: F5FDC92F3DFEE11EABFECEF9ACAEA69F6E34B18A0DAEC225EE6C18398E86B418 Session-ID-ctx: Master-Key: E81D48B88F493F4BD35353079B7A596993D42C3E711F2E4DB79305E69C9D0CF97ED4A88941FE42B3BE012A3D507827C8 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1230103587 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate)
+OK Dovecot ready.
And I still get those errors. Any thoughts?
-G
On Tue, 2008-12-23 at 23:46 -0500, Sahil Tandon wrote:
Geoff Sweet wrote:
and last but not least, here is my test from openssl. Mind you this fails as a "BAD" ssl cert in Evolution.
:~$ openssl s_client -ssl2 -connect pop.x10.com:995
Try -ssl3 here; you'll see more.
CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated.
The cert fails because s_client(1) cannot find the root CA's you've chosen to trust. The same test will fail even with gmail's IMAP and POP3 servers. See the s_client(1) man page for the CApath and CAfile flags.