RE: how to get the trusted certificate of the website mail.yahoo.com?

Hu, Yong Jun SNLB PEK Mon, 06 Nov 2006 02:30:50 -0800

thanks a lot, Gait. You are right!!

--Hu Yongjun

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gait Boxman
Sent: Monday, November 06, 2006 3:04 PM
To: openssl-users@openssl.org
Subject: Re: how to get the trusted certificate of the website mail.yahoo.com?

Hi,

did you try connecting to Yahoo with the ibm.com.pem as your CAFile? Looks like they're not sending the Equifax cert along, whereas IBM is. If I'm not mistaken, the ibm.com.pem is actually the Equifax cert, IBM's cert would be the one starting with MIIC..

--Gait.

Hu, Yong Jun SNLB PEK wrote:

hello, dear all :

1)

    I use the command openssl to get the trusted certificate, but there are some errors showing in the output:

bash-2.03# /usr/local/ssl/bin/openssl s_client -showcerts -connect login.yahoo.com:443
CONNECTED(00000004)
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIDBaBMMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMTA0MTcwOTA2WhcNMTEwMTA0MTcwOTA2
WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
U2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhv
bzEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC1bE/u7xsEXb5wSthVHYp3DcFFAPU7GhDd1/e7emVUf2DSFru9EqV4
eNazUE66F0gneiJvKnwdojYi2FmirjoL1NIbig5aiankmv/bPwTim3XBjcWMBaHz
tZJeoURJGeSQtOnv5F2yIG35I3a4stSvowb1ngOPuIIFIRElRDqABQIDAQABo4Gu
MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUoB5uDJtuauvSrlpKGP8Ok0Ya
1jIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js
cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB
AFAlZRBD4XSDL4+cntx0ZE5xJ04qbkoSe0xBLmFKEQtBprFSyxN2tkXkjdQAmjsC
x4IpAaPuffe5AoidPsMc5j3TkPycVtsZnauoA4B9xOLECTOeWFt3N4lZo4aOod+z
uwLtIWL7usK66NSPZsGlX635P88imxdXoMooxnYDpMTn
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 907 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 4C92645DCF76DD39B93FA93134342228789864947A3A14CFB5AB965BA48BE95D
    Session-ID-ctx:
    Master-Key: 439AA1963FAD38CE860411AC778ED4AFB5F2437BF033ECDA451A07E44FC53FAFDA86EEAA40DD1FF88DB5FDBF1338F669
    Key-Arg   : None
    Start Time: 1161844868
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0

  Question: what should i do to get the correct trusted certificate from yahoo? why are there three error info"unable to get local issuer certificate
", " certificate not trusted", "unable to verify the first certificate"? Do i need to config openssl with another config?

2)
I tried using "ibm.com" instead and we was able to retrieve the certificate and make a connection without errors.

This command displays the certificates.

bash# openssl s_client -showcerts -connect ibm.com:443
CONNECTED(00000004)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIDBawBMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMjAyMTgyMzEwWhcNMDcwNTA1MTcyMzEw
WjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxHzAdBgNVBAcTFlJlc2VhcmNo
IFRyaWFuZ2xlIFBhcmsxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFSFBPRFMxHTAb
BgNVBAMTFHJlZGlyZWN0Lnd3dy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCrhMJNDpABGrYPFf+Ib3UB6ibWLtEXh06+jmqmxAKOiUkQDfSIZam+
POxK+L4diycQchs6E37MfEhnnqqOQSguX2kfaN5iuWQyINgj+TRs7kc7FBzmRhKC
/mUXkdv2SvP/8z8gwbVWe1kGRBlqZTrHPDSshY8Chb6B/61mvbabPQIDAQABo4Gu
MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUFrbeNkcAqnsXX4eeHqVhmPNA
3aYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js
cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB
AHpAm1OotPlh4Q08gLgGaNxcOn+WGjbtJHAlwurfkd7ncXOipBePIyjDtO2AG+g4
SFkaiw0Dkc9FLxXjFNTehrXTEDmkpfpsrAndR4WefiLFRo3B7HA92H+Wzi9a2jn0
Kl2Zla7QpFM4YPiGZPnTzr5jEOrG9CyxsFl240Y2O5pu
-----END CERTIFICATE-----
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1704 bytes and written 323 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 0000F970E2411CA27D9AEB021BB5310BE7720A69585858584548E38A000001EF
    Session-ID-ctx:
    Master-Key: 9077E6FBB41CB8AFFCDA511F5B1EED867772EFF5B8DF78D3DCB1F4E86BE1DDA0398BC4712BCDA657FA328360C22EE54E
    Key-Arg   : None
    Start Time: 1162404746
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
^C

bash# cat ibm.com.pem
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

This command connects to ibm.com with the trusted root CA in ibm.com.pem. There are no error messages.

bash# openssl s_client -CAfile ibm.com.pem -connect ibm.com:443
CONNECTED(00000004)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIDBawBMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMjAyMTgyMzEwWhcNMDcwNTA1MTcyMzEw
WjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxHzAdBgNVBAcTFlJlc2VhcmNo
IFRyaWFuZ2xlIFBhcmsxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFSFBPRFMxHTAb
BgNVBAMTFHJlZGlyZWN0Lnd3dy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCrhMJNDpABGrYPFf+Ib3UB6ibWLtEXh06+jmqmxAKOiUkQDfSIZam+
POxK+L4diycQchs6E37MfEhnnqqOQSguX2kfaN5iuWQyINgj+TRs7kc7FBzmRhKC
/mUXkdv2SvP/8z8gwbVWe1kGRBlqZTrHPDSshY8Chb6B/61mvbabPQIDAQABo4Gu
MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUFrbeNkcAqnsXX4eeHqVhmPNA
3aYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js
cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB
AHpAm1OotPlh4Q08gLgGaNxcOn+WGjbtJHAlwurfkd7ncXOipBePIyjDtO2AG+g4
SFkaiw0Dkc9FLxXjFNTehrXTEDmkpfpsrAndR4WefiLFRo3B7HA92H+Wzi9a2jn0
Kl2Zla7QpFM4YPiGZPnTzr5jEOrG9CyxsFl240Y2O5pu
-----END CERTIFICATE-----
subject=/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1704 bytes and written 323 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 0000F9709068D5C248DC7F3049FCFBA620A27F56585858584548E3C800000208
    Session-ID-ctx:
    Master-Key: 9F9CDDCBB0DF7A7F8459C300BEA4875FA71096D11786384BE0B2841E13705AAC0408947591276FDC809F9859DBB3A814
    Key-Arg   : None
    Start Time: 1162404808
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Question:I think there is something wrong with the yahoo web site: it does not display the trusted root CA.  But why could I use browser such as ie to access

yahoo https website?

In a word, Does someone know how to get the trusted or self-asigned certificate of the website mail.yahoo.com using openssl?

Thanks in advance

Best Regards

Hu Yongjun

RE: how to get the trusted certificate of the website mail.yahoo.com?

Reply via email to