Indeed , OpenBSD uses LibreSSL 3.5.2 and my Artix Linux runs Openssl
The LibreSSL says : Verify return code: 20 (unable to get local issuer
certificate)
And the OpenSSL says : Verify return code: 21 (unable to verify the
first certificate)
Here is the diff from both.
4,5c4,5
< 0 s:CN = mail.thinkerwim.org
< i:C = US, O = Let's Encrypt, CN = R3
---
> 0 s:/CN=mail.thinkerwim.org
> i:/C=US/O=Let's Encrypt/CN=R3
44,47c44,45
< subject=CN = mail.thinkerwim.org
<
< issuer=C = US, O = Let's Encrypt, CN = R3
<
---
> subject=/CN=mail.thinkerwim.org
> issuer=/C=US/O=Let's Encrypt/CN=R3
50,52c48
< Peer signing digest: SHA256
< Peer signature type: RSA-PSS
< Server Temp Key: X25519, 253 bits
---
> Server Temp Key: ECDH, X25519, 253 bits
54,55c50
< SSL handshake has read 2663 bytes and written 434 bytes
< Verification error: unable to verify the first certificate
---
> SSL handshake has read 2662 bytes and written 430 bytes
57c52
< New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
---
> New, TLSv1/SSLv3, Cipher is TLS_AES_256_GCM_SHA384
63,64c58,66
< Early data was not sent
< Verify return code: 21 (unable to verify the first certificate)
---
> SSL-Session:
> Protocol : TLSv1.3
> Cipher : TLS_AES_256_GCM_SHA384
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Start Time: 1657308952
> Timeout : 7200 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
I guess I'll look into the manual of LibreSSL :-).
Thanks for pointing me in the good direction.
Wim Stockman
On 7/8/22 20:41, Zé Loff wrote:
> On Fri, Jul 08, 2022 at 07:22:51PM +0200, Wim wrote:
>> The strange thing is that the client machine and server are the same...
> The client's not necessarily the same. Linux might be using OpenSSL,
> OpenBSD is almost certainly using LibreSSL, there might be differences
> on the root certificates accepted by each OS, etc.
>
> Compare the output of
>
> openssl s_client -showcerts -servername mail.thinkerwim.org -connect mail.thinkerwim.org:587 -starttls smtp
>
> and check for differences.
>
>> Maybe Mut looks into the wrong place. I installed mutt from the openbsd package and using openbsd 7.1
>>
>> Thanks for the help.
>> Kind regards
>> Wim
>>
>> Philipp Buehler <e1c1bac6253dc54a1e89ddc046585792@posteo.net> schreef op 8 juli 2022 16:31:31 CEST:
>>> Am 08.07.2022 15:49 schrieb Dave Voutila:
>>>
>>>> $ openssl s_client -showcerts -servername mail.thinkerwim.org -connect
>>>> mail.thinkerwim.org:587
>>> `-starttls smtp` helps a lot. The cert is there (also on :25 ftm) and signed by LE.
>>>
>>> The rub is that the mutt client machine does not know that issuer,
>>> See openssl documentation how to do this.
>>>
>>> HTH
>>> --
>>> pb
>>>
No comments:
Post a Comment