[clug] ssl and https

dylan porter dylan.porter3 at gmail.com
Sat Feb 26 19:37:47 MST 2011 

On 02/27/2011 12:18 PM, Scott Ferguson wrote:
> On 27/02/11 11:10, dylan porter wrote:
> <stuff snipped to save electrons>
>
>>> "#dpkg --get-selections | grep openssl" should show you if you have it
>>> installed. Note: the "#" means the command is run as root (use your
>>> sudo), and I'm "assuming" Ubuntu calls the package the same as Debian.
>>>
>> yeah openssl is installed
>>> If ssl is *not* installed - there's your problem. The other part of ssl
>>> that *might* be a problem (unlikely given Konq works neither) is that
>>> for some purposes ssl requires a user certificate as well as a server
>>> certificate. You can get more information about ssl functions using:-
>>>
>>> "$ openssl s_client -connect facebook.com:443" which will return a lot
>>> of gibberish, or sod all. (Note: "$" means *not* run as root)
>>>
>>> eg. output:-
>>> scott at work:~$ openssl s_client -connect facebook.com:443
>>> CONNECTED(00000003)
>>> depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
>>> Assurance EV Root CA
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:0
>>> ---
>>> Certificate chain
>>>  0 s:/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=www.facebook.com
>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>>> CA-3
>>>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>>> CA-3
>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>>> EV Root CA
>>>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>>> EV Root CA
>>>    i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
>>> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
>>> Certification Authority
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> <snipped to save electrons>
>>>
>>>
>>> Cheers
>> $ openssl s_client -connect facebook.com:443
>> CONNECTED(00000003)
>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>> High Assurance EV Root CA
>> verify error:num=20:unable to get local issuer certificate
>> verify return:0
> <snipped - identical to my output>
>
>>     Start Time: 1298765059
>>     Timeout   : 300 (sec)
>>     Verify return code: 20 (unable to get local issuer certificate)
>>
>> thats what i got for that
>>
>> also i got a net book yesterday and installed sabayon and im having the
>> same problem
>>
> Hmmm - we can rule out both your local and modem/router firewalling as
> the problem, ditto UPnP. I was hoping we'd have narrowed down the cause
> by now - not broadened it... never-the-less -
>
> It *could* be a problem specific to fffacebook and MSN - as I have never
> used either I don't have anything to frame a reference....
>
> Can you connect to https://gmail.com? (using a browser)
> If so, do, then while you are connected (logged into gmail) from the
> command line run the "$netstat -an | grep :443"
>
> This is what I get:-
> scott at work:~$ netstat -an | grep :443
> tcp        0      0 192.168.0.10:34060      74.125.237.83:443
> <snip>
> tcp        0      0 192.168.0.10:39294      74.125.237.86:443
> ESTABLISHED
>
>
> Cheers

tcp        0      0 192.168.0.10:44039      74.125.237.22:443      
ESTABLISHED
tcp        0      0 192.168.0.10:42802      74.125.237.20:443      
ESTABLISHED
tcp        0      0 192.168.0.10:34121      74.125.237.24:443      
ESTABLISHED
tcp        0      0 192.168.0.10:34119      74.125.237.24:443      
ESTABLISHED
tcp        0      0 192.168.0.10:53187      74.125.237.24:443      
ESTABLISHED

gmail works fine

oh btw its a dlink n150 router if that helps at all

-- 
dylan porter

More information about the linux mailing list