server certificate verification failed

06/12/2008 - 21:30 von Thomas Bliesener | Report spam
Seit kurzem wirft mir die libcurlpp ein "server certificate verification
failed. CAfile: /etc/ssl/certs/ca-certificates.crt" vor die Füße.
gnutsl-cli meldet ein Problem mit dem Zertifikat:

|bli@bli:~$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt conexion.bital.com.mx
|Processed 140 CA certificate(s).
|Resolving 'conexion.bital.com.mx'...
|Connecting to '200.16.50.21:443'...
|- Certificate type: X.509
| - Got a certificate list of 3 certificates.
|
| - Certificate[0] info:
| # The hostname in the certificate matches 'conexion.bital.com.mx'.
| # valid since: Wed Jul 23 19:00:00 CDT 2008
| # expires at: Fri Jul 24 18:59:59 CDT 2009
| # serial number: 17:4A:F6:24:45:11:64:60:F5:18:43:F2:DF:4B:38:56
| # fingerprint: BD:07:18:EC:47:DC:3A:0C:39:4F:9A:F2:A2:B3:9C:BF
| # version: #3
| # public key algorithm: RSA (1024 bits)
| # e [24 bits]: 01:00:01
| # m [1024 bits]: 9B:87:64:9A:27:4A:5F:CC:9D:D0:D4:BC:86:04:4C:FF:91:C4:24:12:87:F7:84:E1:1A:3B:47:FF:DE:29:89:42:BC:D6:68:CD:B3:BF:B5:4C:A9:C5:DF:85:C5:E0:47:15:68:A6:5D:C4:A1:45:C0:3A:C3:F2:3A:2F:96:DE:1F:5C:23:F3:87:F9:86:0A:4F:58:DB:C4:12:C1:BF:95:E5:70:78:06:0E:2D:49:1C:39:4E:18:9D:99:D4:51:7D:F8:A4:CF:1D:B6:B0:43:ED:5E:C6:5F:41:58:52:66:BD:48:73:79:4A:2E:59:56:84:A1:12:0C:C3:EB:41:62:67:B8:B5
| # Subject's DN: C=MX,ST=Mexico,L=Toluca,O=HSBC Holdings plc,OU=Informatica3,CN=conexion.bital.com.mx
| # Issuer's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
|
| - Certificate[1] info:
| # valid since: Wed Apr 16 19:00:00 CDT 1997
| # expires at: Mon Oct 24 18:59:59 CDT 2011
| # serial number: 25:4B:8A:85:38:42:CC:E3:58:F8:C5:DD:AE:22:6E:A4
| # fingerprint: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
| # version: #3
| # public key algorithm: RSA (1024 bits)
| # e [24 bits]: 01:00:01
| # m [1024 bits]: D8:82:80:E8:D6:19:02:7D:1F:85:18:39:25:A2:65:2B:E1:BF:D4:05:D3:BC:E6:36:3B:AA:F0:4C:6C:5B:B6:E7:AA:3C:73:45:55:B2:F1:BD:EA:97:42:ED:9A:34:0A:15:D4:A9:5C:F5:40:25:DD:D9:07:C1:32:B2:75:6C:C4:CA:BB:A3:FE:56:27:71:43:AA:63:F5:30:3E:93:28:E5:FA:F1:09:3B:F3:B7:4D:4E:39:F7:5C:49:5A:B8:C1:1D:D3:B2:8A:FE:70:30:95:42:CB:FE:2B:51:8B:5A:3C:3A:F9:22:4F:90:B2:02:A7:53:9C:4F:34:E7:AB:04:B2:7B:6F
| # Subject's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
| # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
|
| - Certificate[2] info:
| # valid since: Sun Jan 28 18:00:00 CST 1996
| # expires at: Tue Aug 1 18:59:59 CDT 2028
| # serial number: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
| # fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
| # version: #1
| # public key algorithm: RSA (1024 bits)
| # e [24 bits]: 01:00:01
| # m [1024 bits]: C9:5C:59:9E:F2:1B:8A:01:14:B4:10:DF:04:40:DB:E3:57:AF:6A:45:40:8F:84:0C:0B:D1:33:D9:D9:11:CF:EE:02:58:1F:25:F7:2A:A8:44:05:AA:EC:03:1F:78:7F:9E:93:B9:9A:00:AA:23:7D:D6:AC:85:A2:63:45:C7:72:27:CC:F4:4C:C6:75:71:D2:39:EF:4F:42:F0:75:DF:0A:90:C6:8E:20:6F:98:0F:F8:AC:23:5F:70:29:36:A4:C9:86:E7:B1:9A:20:CB:53:A5:85:E7:3D:BE:7D:9A:FE:24:45:33:DC:76:15:ED:0F:A2:71:64:4C:65:2E:81:68:45:A7
| # Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
| # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
|
|
|- Peer's certificate is NOT trusted
|- Version: TLS1.0
|- Key Exchange: RSA
|- Cipher: ARCFOUR-128
|- MAC: MD5
|- Compression: NULL
|- Session ID: 00:BC:9B:22:93:D7:16:E5:16:4E:1C:D9:E3:3A:83:D2:B4:DC:55:B5:0A:70:EE:17:BE:8D:81:A5:3A:9E:F2:68
|*** Verifying server certificate failed...

Curl selbst dagegen scheint keine Probleme zu haben, die Seite làßt sich
damit problemlos herunterladen. Außer einem Upd*** einiger Pakete habe
ich eigentlich nichts geàndert.

Hat jemand eine Idee, wo ich daran schrauben kann?

Debian testing/AMD64
curlpp-0.7.2
libcurl3-gnutls 7.18.2-5
ca-certificates 20080809
b"letzte Woche ging's noch"li
 

Lesen sie die antworten

#1 Heiko Nocon
06/12/2008 - 23:04 | Warnen spam
Thomas Bliesener wrote:

Seit kurzem wirft mir die libcurlpp ein "server certificate verification
failed. CAfile: /etc/ssl/certs/ca-certificates.crt" vor die Füße.
gnutsl-cli meldet ein Problem mit dem Zertifikat:


[...]

Ja and?
Was steht in /etc/ssl/certs/ca-certificates.crt zum Thema Verisign
Public Primary Certification Authority? Dasselbe wie in der vom Server
übermittelten Version?

Wenn nicht, ist eine von beiden gefàlscht. Du mußt dann bloß noch
klàren, welche.

Ähnliche fragen