[Operators] Issues connecting to jabber.co.za

Norman Rasmussen norman at rasmussen.co.za
Tue Oct 14 05:24:42 CDT 2008


On Mon, Oct 13, 2008 at 10:21 PM, Peter Saint-Andre <stpeter at stpeter.im>wrote:

> The output of 'openssl s_client -connect your.server.tld:5223' reveals
> that jabber.co.za has a cert from Thawte. Does anyone know what root
> cert to use for verification? It seems that thawte-roots.zip has lots of
> certs in it. :/
>

Here's a summary of the outputs I'm seeing:
c2s on 5223:

$ openssl s_client -connect jabber.co.za:5223 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/
emailAddress=server-certs at thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/O=jabber.co.za/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=jabber.co.za
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
---
<snip>

c2s on 5222 via 'startls' proxy [1]:

$ openssl s_client -connect localhost:6222 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/
emailAddress=server-certs at thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/O=jabber.co.za/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=jabber.co.za
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
---
<snip>

as you can see they both work fine, but now here's s2s via 'starttls' proxy
[1]:

$ openssl s_client -connect localhost:6269 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
server-certs at thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
16723:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:284:
$

so it looks like the c2s cert is installed correctly, but the s2s cert isn't
installed at all?

[1] http://www.darkskies.za.net/~norman/scripts/proxy-xmpp-tls (depends on
socat)

-- 
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/operators/attachments/20081014/de95a11a/attachment.htm 


More information about the Operators mailing list