1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1065424: [Pkg-openssl-devel] Bug#1065424: Can't connect to Active D

    From Kurt Roeckx@21:1/5 to All on Mon Mar 4 13:10:02 2024
    ------QLV9GEFRK7DJ815O4AP7VGW8IB543A
    Content-Type: text/plain;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    Hi,

    It's unclear to me what you're reporting as error. The connection seems to be working. The verification of the certificate seems to fail. It seems you have your own CA, but the CA is not trusted because it's not in the certificate store.

    Kurt
    ------QLV9GEFRK7DJ815O4AP7VGW8IB543A
    Content-Type: text/html;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE html><html><body><div dir="auto">Hi,<br><br>It's unclear to me what you're reporting as error. The connection seems to be working. The verification of the certificate seems to fail. It seems you have your own CA, but the CA is not trusted
    because it's not in the certificate store.<br><br>Kurt</div></body></html> ------QLV9GEFRK7DJ815O4AP7VGW8IB543A--

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sebastian Andrzej Siewior@21:1/5 to Maciej Bogucki on Mon Mar 4 18:50:02 2024
    On 2024-03-04 11:16:14 [+0100], Maciej Bogucki wrote:
    When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636`

    So you get no reply? That is odd. There has to be reply. A "Connected"
    line is something I would have expected. If there is nothing then I
    would assume that the port is silently blocked.


    from latest rocky linux it is ok

    [bogucki@nsd-ansible ~]$ /usr/bin/openssl s_client -connect 192.168.92.95:636
    CONNECTED(00000003)

    see, that line is missing.


    No client certificate CA names sent
    Client Certificate Types: RSA sign, DSA sign, ECDSA sign
    Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
    Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
    Peer signing digest: SHA1
    Peer signature type: RSA

    The remote side looks limited. So from all the possibilities it decided
    to sign with RSA+SHA1. This is something openssl in bookworm rejects if
    I am not mistaken. But there has to be an error message about this.

    If *think* if you lower security level then it should work.

    Out of curiosity, what is the remote side running?

    Sebastian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)