[clug] ssl and https

Scott Ferguson scott.ferguson.clug at gmail.com
Sat Feb 26 18:18:43 MST 2011 

On 27/02/11 11:10, dylan porter wrote:
> 
<stuff snipped to save electrons>

>>
>> "#dpkg --get-selections | grep openssl" should show you if you have it
>> installed. Note: the "#" means the command is run as root (use your
>> sudo), and I'm "assuming" Ubuntu calls the package the same as Debian.
>>
> yeah openssl is installed
>> If ssl is *not* installed - there's your problem. The other part of ssl
>> that *might* be a problem (unlikely given Konq works neither) is that
>> for some purposes ssl requires a user certificate as well as a server
>> certificate. You can get more information about ssl functions using:-
>>
>> "$ openssl s_client -connect facebook.com:443" which will return a lot
>> of gibberish, or sod all. (Note: "$" means *not* run as root)
>>
>> eg. output:-
>> scott at work:~$ openssl s_client -connect facebook.com:443
>> CONNECTED(00000003)
>> depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
>> Assurance EV Root CA
>> verify error:num=20:unable to get local issuer certificate
>> verify return:0
>> ---
>> Certificate chain
>>  0 s:/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=www.facebook.com
>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>> CA-3
>>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>> CA-3
>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>> EV Root CA
>>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>> EV Root CA
>>    i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
>> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
>> Certification Authority
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> <snipped to save electrons>
>>
>>
>> Cheers
> $ openssl s_client -connect facebook.com:443
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV Root CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0

<snipped - identical to my output>

>     Start Time: 1298765059
>     Timeout   : 300 (sec)
>     Verify return code: 20 (unable to get local issuer certificate)
> 
> thats what i got for that
> 
> also i got a net book yesterday and installed sabayon and im having the
> same problem
> 

Hmmm - we can rule out both your local and modem/router firewalling as
the problem, ditto UPnP. I was hoping we'd have narrowed down the cause
by now - not broadened it... never-the-less -

It *could* be a problem specific to fffacebook and MSN - as I have never
used either I don't have anything to frame a reference....

Can you connect to https://gmail.com? (using a browser)
If so, do, then while you are connected (logged into gmail) from the
command line run the "$netstat -an | grep :443"

This is what I get:-
scott at work:~$ netstat -an | grep :443
tcp        0      0 192.168.0.10:34060      74.125.237.83:443
ESTABLISHED
tcp        0      0 192.168.0.10:47879      74.125.237.86:443
ESTABLISHED
tcp        0      0 192.168.0.10:52022      74.125.237.87:443
ESTABLISHED
tcp        0      0 192.168.0.10:47878      74.125.237.86:443
ESTABLISHED
tcp        0      0 192.168.0.10:44321      74.125.237.93:443
ESTABLISHED
tcp        0      0 192.168.0.10:39294      74.125.237.86:443
ESTABLISHED


Cheers

More information about the linux mailing list