2009-11-27
After finding
shortcomings in the verifi ...
After finding shortcomings in the verification by openssl s_client I tried the gnutls command-line client gnutls-cli. The upside of gnutls-cli is that it does use IPv6 when available. But.. gnutls-cli decides not to trust a server when using the same certificate set as used in testing openssl s_client.~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p imaps imaps.cs.uu.nl .. *** Verifying server certificate failed...versus:~$ openssl s_client -verify 10 -CAfile /etc/ssl/certs/ca-certificates.crt -connect imaps.cs.uu.nl:imaps .. Verify return code: 0 (ok)Weird. I would not be completely surprised when my own root CA had issues in very strict utilities but the chain used for the work servers is very well tested. Update 2012-04-01: Found out later that gnutls-cli had a point: the order of the certificate chain given by the server was incorrect. Which is something all other applications allow.