Thomas Hochstein <
t...@thh.name> wrote:
>
> Sollte jetzt passen.
>
> (Hat jemand zufällig einen Tip zur Hand, wie man die Zertifikatskette in
> ähnlicher Weise mit OpenSSL statt GnuTLS prüft?)
Sowas in der Art:
#v+
$ openssl s_client -verify_return_error -starttls smtp -connect
mx03.thangorodrim.org:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
weidegrund.szaf.org
verify return:1
---
Certificate chain
0 s:CN =
weidegrund.szaf.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 29 08:46:55 2023 GMT; NotAfter: Mar 28 08:46:54 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=CN =
weidegrund.szaf.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4833 bytes and written 440 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 HELP
QUIT
DONE
#v-
Da du es ja gefixt hast, jetzt eben kein Fehler.
openssl s_client hat noch ein paar weitere Optionen zur Verifikation, s.
man page.
Wenn absichtlich einen falschen Hostnamen verlangt, kann man den
Fehlerfall simulieren:
#v+
$ openssl s_client -verify_return_error -verify_hostname blubb -starttls smtp -connect
mx03.thangorodrim.org:25
CONNECTED(00000003)
depth=0 CN =
weidegrund.szaf.org
verify error:num=62:hostname mismatch
4057FE3C437F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../openssl-3.0.11/ssl/statem/statem_clnt.c:1889:
---
Certificate chain
0 s:CN =
weidegrund.szaf.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 29 08:46:55 2023 GMT; NotAfter: Mar 28 08:46:54 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4473 bytes and written 367 bytes
Verification error: hostname mismatch
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 62 (hostname mismatch)
---
#v-
Gruß,
Enrik