Thread: tls certificate for alpine email client
View Single Post
  #5   (View Single Post)  
Old 26th September 2016
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
  
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default
Quote:
Originally Posted by shep View Post
I retrieve 3 certificates. The first, which I read to be the missing server certificate is Signed by Symantec. A quick "grep" of OpenBSD cert.pem does not match Symantec. The second 2 certificates are from Verisign 2006
I just checked, and unless I'm reading things wrongly, the 1st certificate, the one for Centurylink has Symantec as its Certificate Authority:
Code:
Certificate chain
 0 s:/C=US/ST=Louisiana/L=Monroe/O=CenturyLink/OU=Interactive Services Group/CN=mail.centurylink.net
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgIQTsPFd6DHuVkx1SigBAVP3zANBgkqhkiG9w0BAQsFADB+
(...)
, the 2nd certificate for Symantec has Verisign as its Certificate Authority
Code:
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
(...)
and the 3rd one is from Verisign themselves:
Code:
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
(...)
Quote:
Originally Posted by shep View Post
I copied the 1st certificate content, into an /etc/ssl/centurylink.pem, change the centurylink.pem group wheel => bin and run # openssl certhash /etc/ssl.

Alpine still complains
You'd have to add all three certificates, not just the centurylink one, if I'm not mistaken. But somehow the certificate chain seems to be broken. I just added all three certificates to my machine and it didn't work.

BTW, before introducing alpine into the mix you can check the certificates directly:

Code:
openssl s_client -connect mail.centurylink.net995 -CApath /etc/ssl/
Assuming /etc/ssl/ is where you placed all your certificates. I can connect to their pop3 server but get a
Code:
Verify return code: 20 (unable to get local issuer certificate)
Normally you'd see a
Code:
Verify return code: 0 (ok)
before the POP3 prompt.

I'm stumped, right now. The whole ssl certificate thing is relatively new to me. But, if it works on Debian for you, it has to be solvable. You might check your Debian-generated cert.pem for the Verisign certificates and compare those to the OpenBSD one. Other than that I don't know...
Last edited by fvgit; 26th September 2016 at 09:41 PM. Reason: Better wording & a typo
Reply With Quote