[CalendarServer-users] SSLAuthorityChain does not work on 8.0

Axel Rau Axel.Rau at Chaos1.DE
Sun Sep 4 10:48:27 PDT 2016 

Hi,

I’m getting spurious ‚certificate not trusted‘ errors on client programs on OSX 10.11.6
Server cert is from letsencrypt and worked so far, but:
- - -
[caldav3:local/etc/caldavd] root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav.lrau.net:8443
CONNECTED(00000003)
depth=0 CN = caldav.lrau.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = caldav.lrau.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = caldav.lrau.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=caldav.lrau.net
   i:/C=US/O=Let’s Encrypt/CN=Let's Encrypt Authority X3
. . .
Verify return code: 21 (unable to verify the first certificate)
- - -

If I put Let’s Encrypt Authority X3 cert
	https://letsencrypt.org/certificates/
in pem format into config dir and point SSLAuthorityChain at it, I get:
- - -
root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav3.lrau.net:8443
CONNECTED(00000003)
34379258024:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- - -
These certs work with all other servers.
So what am I doing wrong?

Axel

Installed versions:
- - -
gettext-runtime-0.19.8.1       GNU gettext runtime libraries and programs
gmp-5.1.3_3                    Free library for arbitrary precision arithmetic
indexinfo-0.2.4                Utility to regenerate the GNU info page index
libevent2-2.0.22_1             API for executing callback functions on events or timeouts
libffi-3.2.1                   Foreign Function Interface
memcached-1.4.25               High-performance distributed memory object cache system
perl5-5.20.3_15                Practical Extraction and Report Language
pkg-1.8.7_1                    Package manager
postgresql94-client-9.4.9      PostgreSQL database (client)
py27-PyGreSQL-5.0.1,1          Python interface to PostgreSQL, both classic and DP-API 2.0
py27-attrs-16.0.0              Python attributes without boilerplate
py27-calendar-0.15423          Library for iCalendar/vCard data
py27-calendarserver-8.0_8      Calendar and Contacts Server from Apple (RFC 4791, RFC 6352)
py27-cffi-1.7.0                Foreign Function Interface for Python calling C code
py27-characteristic-14.3.0     Python attributes without boilerplate
py27-cryptography-1.4          Cryptographic recipes and primitives for Python developers
py27-dateutil-2.5.0            Extensions to the standard Python datetime module
py27-enum34-1.1.6              Python 3.4 Enum backported to 3.3, 3.2, 3.1, 2.7
py27-idna-2.0                  Internationalized Domain Names in Applications (IDNA)
py27-ipaddress-1.0.16          Python 3.3's ipaddress for Python 2.6 and 2.7
py27-openssl-16.0.0            Python interface to the OpenSSL library
py27-pg8000-1.10.6             Pure-Python Interface to the PostgreSQL Database
py27-psutil-4.3.0              Process utilities module for Python
py27-pyasn1-0.1.9              ASN.1 toolkit for Python
py27-pyasn1-modules-0.0.8_1    Collection of ASN.1 data structures for py-asn1
py27-pycparser-2.10            C parser in Python
py27-pycrypto-2.6.1_1          Python Cryptography Toolkit
py27-pytz-2016.6.1,1           World Timezone Definitions for Python
py27-service_identity-16.0.0   Service identity verification for pyOpenSSL
py27-setproctitle-1.1.10       Python module to customize the process title
py27-setuptools27-23.1.0       Python packages installer
py27-six-1.10.0                Python 2 and 3 compatibility utilities
py27-sqlite3-2.7.12_7          Standard Python binding to the SQLite3 library (Python 2.7)
py27-sqlparse-0.1.16           Non-validating SQL parser for Python
py27-twext-0.15423             Extensions to Twisted
py27-twisted-15.5.0            Asynchronous networking framework written in Python
py27-xattr-0.7.8               Python wrapper for extended filesystem attributes
py27-zope.interface-4.1.3      Interfaces for Python
python2-2_3                    The "meta-port" for version 2 of the Python interpreter
python27-2.7.12                Interpreted object-oriented programming language
sqlite3-3.14.1                 SQL database engine in a C library

OpenSSL 1.0.1p-freebsd 9 Jul 2015
FreeBSD caldav3 10.1-RELEASE-p35 FreeBSD 10.1-RELEASE-p35 #0: Sat May 28 03:37:01 UTC 2016     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

More information about the calendarserver-users mailing list