how to resolve depth=0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

how to resolve depth=0

Winston Ford
Hello,

I'll spare my sob story, suffice to say there's week old blood on the  
wall..

Here's what I'm trying to resolve:

[pbAl:~] winstonf% openssl s_client -connect www.elegantbabygifts.com:
443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=21:unable to verify the first certificate

Specifically the depth=0 and resulting 3 errors, and ultimately the  
fact that majority of cattle using IE cannot checkout from my  
customers sites since I upgraded to OpenSSL 0.9.7i 14 Oct 2005.

Any brain power appreciated,
Winston
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: how to resolve depth=0

Dr. Stephen Henson
On Tue, Feb 21, 2006, Winston Ford wrote:

> Hello,
>
> I'll spare my sob story, suffice to say there's week old blood on the  
> wall..
>
> Here's what I'm trying to resolve:
>
> [pbAl:~] winstonf% openssl s_client -connect www.elegantbabygifts.com:
> 443 -state
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
> CN=www.elegantbabygifts.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
> CN=www.elegantbabygifts.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
> CN=www.elegantbabygifts.com
> verify error:num=21:unable to verify the first certificate
>
> Specifically the depth=0 and resulting 3 errors, and ultimately the  
> fact that majority of cattle using IE cannot checkout from my  
> customers sites since I upgraded to OpenSSL 0.9.7i 14 Oct 2005.
>

Looks like the server is misconfigured: you aren't sending the correct
intermediate CA certificate.

You are sending the "Verisign Trust Network" intermediate CA and you should
instead be sending the "Starfield Secure Certification Authority" CA.

Did someone by any chance get the certificate from a different CA recently?

That seems likely since the date is 20th Feb.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: how to resolve depth=0

Winston Ford
Yes, the current cert was bought this weekend from starfield  
(godaddy).  Reason being, another client site has a cert from  
starfield, and IE successfully completes handshake.  Site is https://
www.shopelizabethbrady.com  It is running on same machine, same  
apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL 0.9.7i.

The bit about the intermediate CA certificate showing Verisign is  
noteworthy.  The previous cert was from Verisign, so this makes  
sense.  Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
sf_issuing.crt is the same sf_issuing.crt used for  
shopelizabethbrady.com, which does not show Verisign in handshake  
transcript.  Where might this verisignian vestige be residing?

Thank you immensely for the time,
Winston




On Feb 21, 2006, at 11:47 AM, Dr. Stephen Henson wrote:

> On Tue, Feb 21, 2006, Winston Ford wrote:
>
>
>> Hello,
>>
>> I'll spare my sob story, suffice to say there's week old blood on the
>> wall..
>>
>> Here's what I'm trying to resolve:
>>
>> [pbAl:~] winstonf% openssl s_client -connect  
>> www.elegantbabygifts.com:
>> 443 -state
>> CONNECTED(00000003)
>> SSL_connect:before/connect initialization
>> SSL_connect:SSLv2/v3 write client hello A
>> SSL_connect:SSLv3 read server hello A
>> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
>> CN=www.elegantbabygifts.com
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
>> CN=www.elegantbabygifts.com
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
>> CN=www.elegantbabygifts.com
>> verify error:num=21:unable to verify the first certificate
>>
>> Specifically the depth=0 and resulting 3 errors, and ultimately the
>> fact that majority of cattle using IE cannot checkout from my
>> customers sites since I upgraded to OpenSSL 0.9.7i 14 Oct 2005.
>>
>>
>
> Looks like the server is misconfigured: you aren't sending the correct
> intermediate CA certificate.
>
> You are sending the "Verisign Trust Network" intermediate CA and  
> you should
> instead be sending the "Starfield Secure Certification Authority" CA.
>
> Did someone by any chance get the certificate from a different CA  
> recently?
>
> That seems likely since the date is 20th Feb.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: how to resolve depth=0

Dr. Stephen Henson
On Tue, Feb 21, 2006, Winston Ford wrote:

> Yes, the current cert was bought this weekend from starfield  
> (godaddy).  Reason being, another client site has a cert from  
> starfield, and IE successfully completes handshake.  Site is https://
> www.shopelizabethbrady.com  It is running on same machine, same  
> apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL 0.9.7i.
>
> The bit about the intermediate CA certificate showing Verisign is  
> noteworthy.  The previous cert was from Verisign, so this makes  
> sense.  Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
> sf_issuing.crt is the same sf_issuing.crt used for  
> shopelizabethbrady.com, which does not show Verisign in handshake  
> transcript.  Where might this verisignian vestige be residing?
>

Well that file is the usual place. Try:

openssl x509 -in whatever.crt -noout -subject

and see if it says "Verisign". You could also try commenting that line out and
seeing if it doesn't send it any more.

If the other site has the correct intermediate CA in the trusted certificate
store it would use that.

If you don't have a copy of the correct intermediate CA you can get it from
that other site easily enough with the -showcerts option to s_client.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: how to resolve depth=0

Winston Ford
Wow, the issue has been resolved.  Many thanks for keen eyes.  After  
commenting out the SSLCertificateChainFile directive in my  
httpd.conf, one was still returned in the handshake.  I include a dir  
of vhost.conf's and had backed up the one which had ssl issues.  
Apache was still pulling the back'd up .conf for this vhost and  
getting duplicate and conflicting info.

This completes my longest solo mission in the cockpit since I entered  
the net.  Thanks Doc for a safe landing!

-W


On Feb 21, 2006, at 12:51 PM, Dr. Stephen Henson wrote:

> On Tue, Feb 21, 2006, Winston Ford wrote:
>
>
>> Yes, the current cert was bought this weekend from starfield
>> (godaddy).  Reason being, another client site has a cert from
>> starfield, and IE successfully completes handshake.  Site is https://
>> www.shopelizabethbrady.com  It is running on same machine, same
>> apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL  
>> 0.9.7i.
>>
>> The bit about the intermediate CA certificate showing Verisign is
>> noteworthy.  The previous cert was from Verisign, so this makes
>> sense.  Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
>> sf_issuing.crt is the same sf_issuing.crt used for
>> shopelizabethbrady.com, which does not show Verisign in handshake
>> transcript.  Where might this verisignian vestige be residing?
>>
>>
>
> Well that file is the usual place. Try:
>
> openssl x509 -in whatever.crt -noout -subject
>
> and see if it says "Verisign". You could also try commenting that  
> line out and
> seeing if it doesn't send it any more.
>
> If the other site has the correct intermediate CA in the trusted  
> certificate
> store it would use that.
>
> If you don't have a copy of the correct intermediate CA you can get  
> it from
> that other site easily enough with the -showcerts option to s_client.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]