Am Donnerstag, 2. Juli 2015 18:35:04 UTC+2 schrieb
pal...@yahoo.com:
> OK, here's what you need to do. Download the current root certs from
http://curl.haxx.se/ca/cacert.pem and save it (to cacert.pem or whatever)
> and specify that as your -cafile.
>
> Verified with tls 1.6.6:
>
> % ::http::register https 443 [list ::tls::socket -request 1 -require 1 -ssl2 0 -ssl3 0 -tls1 1 -cafile cacert.pem]
> 443 {::tls::socket -request 1 -require 1 -ssl2 0 -ssl3 0 -tls1 1 -cafile cacert.pem}
> % set tok [http::geturl
https://www.google.de]
> ::http::4
> % http::status $tok
> ok
> % http::cleanup $tok
>
> /Ashok
Problem solved!
At first I have saved the CA file provided by Ashok and connected successfully to
google.de.
Then I tried to connect to my server and didn't worked (same error: operation not supported).
Then I followed Ashok's advice and tried to connect through openssl instead of Tcl's tls package:
openssl s_client -connect
www.mydomain.de:443 -CAfile CA.crt
That helped a lot, because openssl has much more details in the output. The output was:
CONNECTED(000001B0)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/ST=Baden-W\xC3\xBCrttemberg/L=Stuttgart/...
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
The verify error:num=20:unable to get local issuer certificate is issued when a certificate in the chain is missing. So I have searched the CA file and identified the missing certificate, which I could copy from FireFox and paste into the CA file.
Then the connection through Tcl TLS package also worked like a charm:
::http::register https 443 [list ::tls::socket -request 1 -require 1 -ssl2 0 -ssl3 0 -tls1 1 -cafile CA.crt]
::http::geturl
https://www.mydomain.de
Thank you very much for your help!