Dear list members, I've encountered a problem connecting to some https resources (especially one) from some of my boxes. It seems the root cause is somewhere in openssl. So here is my test case:
(debian stable box) ---8<--- abiessmann@git:~$ date Do 10. Mai 11:03:12 CEST 2012 abiessmann@git:~$ openssl version OpenSSL 0.9.8o 01 Jun 2010 abiessmann@git:~$ openssl s_client -connect banking.postbank.de:443 CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain <snip chain> --- Server certificate -----BEGIN CERTIFICATE----- <snip certificate> -----END CERTIFICATE----- <some more snip> --- SSL handshake has read 4623 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 1044F1F221E30E12B6E2217D9949149DED775F882C15F13AF63FE027495ADF4E Session-ID-ctx: Master-Key: 678A316973D51613D56DC87C0FE8BB34E6B96CF4D9523715084AB3F3511F0C22C12252C2716FED128B6A1F591C806097 Key-Arg : None Start Time: 1336640595 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ^C --->8--- (one of the errournous boxes) ---8<--- abiessmann@azuregos % date Do 10. Mai 11:02:50 CEST 2012 abiessmann@azuregos % openssl version OpenSSL 1.0.1b 26 Apr 2012 abiessmann@azuregos % openssl s_client -connect banking.postbank.de:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 320 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- --->8--- (the same for all boxes which use 1.0+ release) My questions: * can anyone confirm this behaviour (it seems other hosts are working with openssl 1.0+, but not the banking.postbank.de)? * can anyone give me a hint how to track this down? Best regards Andreas Bießmann ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org