We Keep Coding

SSL_connect fails with SSL_ERROR_SSL - How can I investigate what is going wrong?

Simple socket program which is trying to connect to a valid https server (can browse with FireFox/Chrome etc etc).
Code is:
// Register the error strings for libcrypto & libssl
SSL_load_error_strings();
// Register the available ciphers and digests
SSL_library_init();
// load all algos
OpenSSL_add_all_algorithms();
// create context (new context for each connection)
ssl_ctx_ = SSL_CTX_new(SSLv23_client_method());
if(!ssl_ctx_) {
throw std::runtime_error("Can't initialize ssl context");
}
// create handle
ssl_h_ = SSL_new(ssl_ctx_);
if(!ssl_h_) {
SSL_CTX_free(ssl_ctx_);
throw std::runtime_error("Can't initialize new ssl handle");
}
// sd_ is a valid socket connected to a host on port 443,
// i.e. www.repubblica.it:443
// bind socket
if (!SSL_set_fd(ssl_h_, sd_)) {
SSL_free(ssl_h_);
SSL_CTX_free(ssl_ctx_);
throw std::runtime_error("Can't set sd to ssl handle");
}
// set blocking
// this api makes the socket blocking
fd_block(sd_);
// perform handshake
const int r = SSL_connect(ssl_h_);
// r is now -1
if(1 != r) {
// find out the error
const int err = SSL_get_error(ssl_h_, r);
SSL_free(ssl_h_);
SSL_CTX_free(ssl_ctx_);
throw std::runtime_error(std::string("Can't perform ssl handshake, err code: ") + ssl_err_human(err));
}
And I get the following error: Exception: Can't perform ssl handshake, err code: SSL_ERROR_SSL which is not really insightful.
What can I do next to understand what I'm doing wrong and then fix it?
Thanks!
Ps. running on Ubuntu 22.04 with default libssl-dev package

libwebsocket server with openSSL not accepting connection

I have written web socket server with the help of (libwebsocket library )which accepts web socket client connection for non SSL.
Now I wanted it to accept SSL connection so I have generated the self signed certificate and key, while creating web socket context I have given the key and certificate path and option LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT as well.
But while making https connection using wss://ip:7681 from I am getting connection request callback i.e LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED and after that LWS_CALLBACK_WSI_DESTROY and in browser getting console error about not able to connect.
Firefox can’t establish a connection to the server at wss://192.168.4.254:7681/.
Please check the following server side code used for creating openSSL based web socket server.
struct lws_protocols WebSocketCommon::protocols[ 2 ] = { {"wss", WebSocketCommon::callback, 0, 0 },{ NULL, NULL, 0, 0 } };
int callback ( struct lws *wsi, enum lws_callback_reasons reason, void *user, void *in, size_t len ) {
switch ( reason ) {
case LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED:
{
//code
break;
}
case LWS_CALLBACK_WSI_DESTROY:
{
//code
break;
}
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS: {
Log::d( m_r_logger, TAG, "LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS\n");
SSL_CTX_load_verify_locations( (SSL_CTX*) user, NULL, getenv(SSL_CERT_FILE_PATH) );
break;
}
default: {
break;
}
}
return lws_callback_http_dummy(wsi, reason, user, in, len);
}
void createContext (bool useSSL) {
struct lws_context_creation_info info;
memset( &info, 0, sizeof(struct lws_context_creation_info) );
info.port = 7681;
info.uid = -1;
info.gid = -1;
info.protocols = protocols;
info.mounts = &mount;
info.extensions = exts;
info.timeout_secs = 5;
info.ip_limit_ah = 24; /* for testing */
info.ip_limit_wsi = 400; /* for testing */
// Following options for openSSL certificate
if(useSSL){
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT | LWS_SERVER_OPTION_DISABLE_IPV6 | LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED | LWS_SERVER_OPTION_IGNORE_MISSING_CERT;
info.ssl_cert_filepath = SSL_CERT_FILE_PATH;
info.ssl_private_key_filepath = SSL_PRIVATE_KEY_PATH;
}
fContext = lws_create_context( &info );
}
I am getting following logs while creating web socket context and accepting wss connection.
WebSocket.cpp:638...... :createContext ( ) - begin
WebSocket.cpp:640...... : createContext - fReferenceCount = 0
WebSocket.cpp:324...... : Creating Vhost 'default' port 7681, 1 protocols, IPv6 off
WebSocket.cpp:324...... : Using SSL mode
WebSocket.cpp:324...... : SSL ECDH curve 'prime256v1'
WebSocket.cpp:612...... : LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing cert filepath /etc/nginx /ssl/mycert.crt
WebSocket.cpp:324...... : Loaded client cert /etc/nginx/ssl/mycert.crt
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing private key filepath
WebSocket.cpp:324...... : Loaded client cert private key /etc/nginx/ssl/mykey.key
WebSocket.cpp:324...... : created client ssl context for default
WebSocket.cpp:684...... : lws_create_context SUCCEEDED
WebSocket.cpp:759...... : start Starting Service Thread.
WebSocket.cpp:705...... : createContext - fReferenceCount = 1
WebSocket.cpp:706...... : createContext - end
Following is library versions I am using.
libwebsocket.so 13
OpenSSL 1.0.2o 27 Mar 2018
Please let me know what is going wrong ?

The problem is possibly not related to libwebsockets, but rather to do with Firefox being fussy about allowing connections to WSS that have a self signed certificate. Try to connect to your server from some other program, e.g., a simple python program.
related:
What is the problem with Websocket and Self-Signed SSL certificate
Firefox disconnects websockets connection for a self signed certificate

Programmatically verifying x509v3 extendedKeyUsage

Background
I need to programmatically verify extendedKeyUsage in an x509 certificate. My goal here is to make sure only TLS Web Server Authentication, TLS Web Client Authentication is present in extendedKeyUsage. I am using OpenSSL 1.0.2p lib on MacOS.
The following is my code for retrieving extendedKeyUsage fields:
#include <openssl/x509v3.h>
#include <openssl/bn.h>
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
int verifyDeviceCertExtendedKeyUsage(){
OpenSSL_add_all_algorithms();
auto readBytes = MyApp::FileUtil::readAllBytes("path/to/pem");
BIO *bio_mem = BIO_new(BIO_s_mem());
BIO_puts(bio_mem, readBytes.data());
X509 *x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL);
ASN1_BIT_STRING *usage = static_cast<ASN1_BIT_STRING*>(X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL));
if (usage && (usage->length > 0)){
_CERTUTIL_LOG->debug("in verifyDeviceCertExtendedKeyUsage, usage->data[0]: {0:x}", (int)usage->data[0]);
}
}
Also, an excerpt from output of openssl x509 -text -noout -in path/to/pem:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Issue
Each time I ran my code the value of usage->data[0] is different which is a sign that my code is causing undefined behavior.
Note: I used a similar code to retrieve keyUsage fields succesfully by replacing NID_ext_key_usage to NID_key_usage in X509_get_ext_d2i().
If my code returned correct value I would verify it by comparing to the following which is in openssl/x509v3.h:
# define XKU_SSL_SERVER 0x1
# define XKU_SSL_CLIENT 0x2
Question
Is there something wrong with my code?
How can I reliably get extendedKeyUsage fields and verify them?
Update
I have found a way, but it makes me uneasy to compare strings:
BIO *bio_mem = BIO_new(BIO_s_mem());
BIO_puts(bio_mem, readBytes.data());
X509 *x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL);
auto extIndex = X509_get_ext_by_NID(x509, NID_ext_key_usage, -1);
if(extIndex < 0){
BIO_free(bio_mem);
X509_free(x509);
return ERR;
}
X509_EXTENSION *ext = X509_get_ext(x509, extIndex);
EXTENDED_KEY_USAGE *eku = static_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ext));
for(int i = 0 ; i < sk_ASN1_OBJECT_num(eku) ; i++){
char buffer[100] = {0}; // <--- init all elements with 0, compiler specific behavior?
OBJ_obj2txt(buffer, sizeof(buffer), sk_ASN1_OBJECT_value(eku, i), 1);
if(strcmp(buffer, "1.3.6.1.5.5.7.3.1") == 0 && strcmp(buffer, "1.3.6.1.5.5.7.3.1") == 0){
BIO_free(bio_mem);
X509_free(x509);
return SUCCESS;
}
}

In openssl 1.1 it's easy once you have a X509 pointer. You just need to use the following methods: X509_get_extension_flags and X509_get_extended_key_usage
if ((X509_get_extension_flags(x509) & EXFLAG_XKUSAGE) == EXFLAG_XKUSAGE)
{
auto const certificate_key_usage = X509_get_extended_key_usage(x509);
if ((certificate_key_usage & (XKU_SSL_SERVER | XKU_SSL_CLIENT)) == (XKU_SSL_SERVER | XKU_SSL_CLIENT))
{
// has both TLS Web Server Authentication and TLS Web Client Authentication
}
else
{
// doesn't have both TLS Web Server Authentication and TLS Web Client Authentication
}
}
For older versions of openssl you should be able to define the following to get the above code working:
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define X509_get_extension_flags(x) (x->ex_flags)
#define X509_get_extended_key_usage(x) (x->ex_xkusage)
#endif

Obtaining ssl certificate on windows using C++

I am trying to obtain a remote server's ssl certificate on windows. One option I have found is to use openssl. The command to do that as indicated by some posts on the internet is:
openssl.exe s_client -showcerts -connect {REMOTE_SERVER_IP}:{REMOTE_SERVER_PORT}
This works perfectly, but my problem is that the above command has a timeout of 300 seconds. The certificate itself gets printed pretty fast and I see no reason to wait 300 seconds when I get all I want in the first few seconds. Still I think there is no way to change the timeout parameter on s_client. So I tried to figure a way to kill a process on windows after a given period of time but again had no luck there. Any ideas on how can this be done? If there is some other windows way to a obtain a remote servers ssl certificate and store it in a file this will also do the job.
EDIT: as per Bruno's request adding more information.
I am trying to create a c++ application that gets the SSL certificate of a remote server and stores it in a file for further processing. As my application already makes use of openssl.exe I either need a solution that uses openssl.exe or a standard windows command(i.e. does not require any additional libraries).
EDIT2: I have found a way to avoid the waiting in linux - just create an empty file and redirect the input of openssl s_client to it(or use pipe to pass empty input). This works on windows as well but with older versions of openssl(0.9.8l). I tried it with 0.9.8r and with 1.0.1b and redirecting the input to an empty file does not help there.

Here is a minimalistic program I created that connects to a server and prints its ssl certificate to the standard output. Hope it will help someone else to resolve similar issue:
#ifdef WIN32
#include <windows.h>
#include <winsock2.h>
#else
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#endif
#include <openssl/ssl.h>
#include <cstdlib>
#include <iostream>
static const char *host= "10.23.10.12";
static int port=443;
int tcp_connect(const char *host,int port)
{
#ifdef WIN32
WSADATA wsaData;
WORD version;
int error;
version = MAKEWORD( 2, 0 );
error = WSAStartup( version, &wsaData );
/* check for error */
if ( error != 0 )
{
/* error occured */
return -1;
}
/* check for correct version */
if ( LOBYTE( wsaData.wVersion ) != 2 ||
HIBYTE( wsaData.wVersion ) != 0 )
{
/* incorrect WinSock version */
WSACleanup();
return -1;
}
/* WinSock has been initialized */
#endif
struct hostent *hp;
struct sockaddr_in addr;
int sock;
if(!(hp=gethostbyname(host)))
printf("Couldn't resolve host");
memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)
hp->h_addr_list[0];
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if((sock=(int)socket(AF_INET,SOCK_STREAM,
IPPROTO_TCP))<0)
printf("Couldn't create socket");
if(connect(sock,(struct sockaddr *)&addr,
sizeof(addr))<0)
printf("Couldn't connect socket");
return sock;
}
int main(int argc,char **argv)
{
SSL_CTX *ctx;
SSL *ssl;
BIO *sbio;
int sock;
SSL_METHOD *meth=NULL;
meth=SSLv23_client_method();
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
ctx=SSL_CTX_new(meth);
/* Connect the TCP socket*/
sock=tcp_connect(host,port);
/* Connect the SSL socket */
ssl=SSL_new(ctx);
sbio=BIO_new_socket(sock,BIO_NOCLOSE);
SSL_set_bio(ssl,sbio,sbio);
if(SSL_connect(ssl)<=0)
printf("SSL connect error");
X509 *peer;
peer=SSL_get_peer_certificate(ssl);
PEM_write_X509(stdout, peer);
SSL_CTX_free(ctx);
close(sock);
#ifdef WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
exit(0);
}
The code is modified version of the examples found here as suggested by this post.
EDIT: I kept getting the error OPENSSL_UPLINK: no OPENSSL_APPLINK on windows. After a lot of searching around the internet I found this post and added this to my code:
extern "C" {
#include <openssl/applink.c>
}
Seems this is some work around to avoid the requirement for compiler and run-time options compatibility.

OpenSSL in C++ email client - server closes connection with TLSv1 Alert message

My app connects to a IMAP email server. One client configured his server to reject SSLv2 certificates, and now my app fails to connect to the server. All other email clients connect to this server successfully. My app uses openssl.
I debugged by creating minimal openssl client and attempt to connect to the server. Below is the code with connects to the mail server (using Windows sockets, but same problem is with unix sockets).
Server sends its initial IMAP greeting message, but after client sends 1st command, server closes connection. In Wireshark, I see that after sending command to server, it returns TLSv1 error message 21 (Encrypted Alert) and connection is gone.
I'm looking for proper setup of OpenSSL for this connection to succeed.
Thanks
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <winsock2.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define CHK_NULL(x) if((x)==NULL) exit(1)
#define CHK_ERR(err,s) if((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
SSL *ssl;
char buf[4096];
void write(const char *s){
int err = SSL_write(ssl, s, strlen(s));
printf("> %s\n", s);
CHK_SSL(err);
}
void read(){
int n = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(n);
if(n==0){
int e = SSL_get_error(ssl, 0);
printf("Read error %i\n", e);
exit(1);
}
buf[n] = 0;
printf("%s\n", buf);
}
void main(){
int err=0;
SSLeay_add_ssl_algorithms();
SSL_METHOD *meth = SSLv23_client_method();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
WSADATA data;
WSAStartup(0x202, &data);
int sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
CHK_ERR(sd, "socket");
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("195.137.27.14");
sa.sin_port = htons(993);
err = connect(sd,(struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP connection. Start SSL negotiation. */
ssl = SSL_new(ctx); CHK_NULL(ssl);
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl); CHK_SSL(err);
// Following two steps are optional and not required for data exchange to be successful.
/*
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
X509 *server_cert = SSL_get_peer_certificate(ssl); CHK_NULL(server_cert);
printf("Server certificate:\n");
char *str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
printf(" subject: %s\n", str);
OPENSSL_free(str);
str = X509_NAME_oneline(X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf(" issuer: %s\n", str);
OPENSSL_free(str);
// We could do all sorts of certificate verification stuff here before deallocating the certificate.
X509_free(server_cert);
*/
printf("\n\n");
read(); // get initial IMAP greeting
write("1 CAPABILITY\r\n"); // send 1st command
read(); // get reply to cmd; server closes connection here
write("2 LOGIN a b\r\n");
read();
SSL_shutdown(ssl);
closesocket(sd);
SSL_free(ssl);
SSL_CTX_free(ctx);
}

It seems that the host you are trying to connect to has a buggy TLS implementation. Using the openssl command-line tool, I have discovered the following.
First of all, the file imap contains a silly IMAP session:
A1 CAPABILITY
A2 LOGIN foo bar
Then, the command:
openssl s_client -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Fails as follows:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 9F1200004D888506211A976BF1CC755C873789D8256936638BF9C9E66DAA9438
Session-ID-ctx:
Master-Key: A67DE8C76371B8034AA60447ECB97ED631E55E4E713F64FAA49D2DBAC07A6339719F4C4DD4E1FD2BC5E41EDCC2CF22FE
Key-Arg : None
Start Time: 1332595025
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
closed
But the command:
openssl s_client -bugs -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Succeeds:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 261200008CB526A49A014E97D510AA7FDA08DDAC797B8B78B3ABEEF4A64B3228
Session-ID-ctx:
Master-Key: 457E9FFB43C77E028211A0FDB9915FCB374A55445ED15498E2C5AFDBEA52C9A413CC8D79EE29ECA823E038A93363B9D6
Key-Arg : None
Start Time: 1332595088
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
* CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN IDLE ACL UNSELECT UIDPLUS
A1 OK CAPABILITY completed
A2 NO LOGIN failed
Which means you need to enable OpenSSL's bug workarounds, as described in the SSL_CTX_set_options(3) manual page.