From: "Konstantin A. Lepikhov" <lakostis@altlinux.org>
To: ALT Devel discussion list <devel@lists.altlinux.org>
Subject: Re: [devel] I: TLS/SSL policy - broken packages
Date: Sat, 10 Feb 2007 15:17:13 +0300
Message-ID: <20070210121713.GA17379@lks.home> (raw)
In-Reply-To: <45CD9D35.3020703@altlinux.org>
[-- Attachment #1.1: Type: text/plain, Size: 1314 bytes --]
Hi Mikhail!
Saturday 10, at 01:23:49 PM you wrote:
...
> И в том, и в другом случае - никак. Что я делаю не так?
>
> Для полного текста письма:
>
> $ openssl smime -verify -in message.signed
> Error reading S/MIME message
> 10965:error:2107A083:PKCS7 routines:SMIME_read_PKCS7:invalid mime
> type:pk7_mime.c:364:type: multipart/mixed
>
> То есть даже прочитать не может внешнюю MIME-оболочку.
>
> Если отрезать multipart и оставить только 2 части - письмо и подпись:
>
> $ openssl smime -verify -in message2.signed
> Verification failure
> 10944:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:pk7_smime.c:233:Verify error:unable to get local issuer certificate
>
> $ openssl smime -verify -CAfile /usr/share/ca-certificates/ca-bundle.crt
> -in message2.signed
> Verification failure
> 10955:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:pk7_smime.c:233:Verify error:unable to get local issuer certificate
>
> И в том, и в другом случае - проверить не получается.
а вот и первый кандидат на добавление в ca-certificates :) Это Thawte
Freemail. Если положить приложенный сертификат в /var/lib/ssl/certs и
потом сказать там c_rehash, то проверка возвращает что-то полее вменяемое
- типа certificate expired.
--
WBR et al.
[-- Attachment #1.2: thawte-freemail.pem --]
[-- Type: text/plain, Size: 3440 bytes --]
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13 (0xd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
Validity
Not Before: Jul 17 00:00:00 2003 GMT
Not After : Jul 16 23:59:59 2013 GMT
Subject: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Personal Freemail Issuing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:a6:3c:55:73:55:fb:4e:b9:ca:99:5a:1e:68:
c0:75:04:70:9d:df:e9:ff:a3:1e:ec:bd:cd:f5:5b:
f2:1a:76:bd:7f:0c:3a:61:f2:bf:51:ce:01:d4:e5:
50:0a:30:d7:02:63:5a:2c:89:15:70:8e:dd:c9:f0:
2b:85:5a:aa:3f:71:56:cb:af:3c:0b:07:e7:f1:1f:
91:36:24:2a:13:cf:2b:d5:f3:82:77:3d:03:be:2b:
fe:bb:18:3e:07:bf:40:80:02:64:d7:a7:a6:bb:9f:
65:d1:c5:2a:54:85:0f:48:04:7f:a7:b6:d1:3c:61:
04:40:1e:64:19:72:60:b7:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawtePersonalFreemailCA.crl
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
DirName:/CN=PrivateLabel2-138
Signature Algorithm: sha1WithRSAEncryption
48:8c:d1:50:83:ea:0b:2e:cc:0d:a3:66:ac:67:0f:7f:af:ac:
be:c2:17:a1:43:96:94:9d:7f:4c:21:b8:f8:36:1f:aa:2d:9f:
36:2f:c0:f4:1c:50:20:93:70:3c:fd:ad:e1:61:62:c3:d9:3a:
19:7e:84:b1:99:1b:00:c5:1a:0b:82:74:9e:25:50:94:62:c7:
db:27:71:57:25:8d:dd:a9:9c:39:8e:8c:20:4f:65:5f:95:da:
f7:f7:87:d6:c6:08:4e:ae:f6:ea:34:e5:10:1a:5b:35:4d:77:
e3:56:21:78:82:dc:21:19:35:de:24:b1:d3:1d:46:ff:5d:5f:
65:4f
-----BEGIN CERTIFICATE-----
MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD
VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu
Y29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31
W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2
JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZ
cmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1h
aWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQ
cml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as
Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsA
xRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfj
ViF4gtwhGTXeJLHTHUb/XV9lTw==
-----END CERTIFICATE-----
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2007-02-10 12:17 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-08 22:22 Mikhail Yakshin
2007-02-08 22:52 ` Alexey I. Froloff
2007-02-09 8:18 ` Mikhail Yakshin
2007-02-09 9:22 ` Alexey I. Froloff
2007-02-10 9:36 ` Mikhail Yakshin
2007-02-10 10:11 ` Konstantin A. Lepikhov
2007-02-10 10:23 ` Mikhail Yakshin
2007-02-10 12:17 ` Konstantin A. Lepikhov [this message]
2007-02-10 12:50 ` Mikhail Yakshin
2007-02-10 13:34 ` Alexey I. Froloff
2007-02-10 15:31 ` Dmitry V. Levin
2007-02-10 17:13 ` Konstantin A. Lepikhov
2007-02-10 17:47 ` Dmitry V. Levin
2007-02-10 19:05 ` Konstantin A. Lepikhov
2007-02-08 22:55 ` [devel] I: TLS/SSL policy: " Dmitry V. Levin
2007-02-09 8:26 ` Mikhail Yakshin
2007-02-09 23:53 ` Dmitry V. Levin
2007-02-08 23:27 ` [devel] I: TLS/SSL policy - " Konstantin A. Lepikhov
2007-02-09 8:37 ` Mikhail Yakshin
2007-02-09 6:08 ` Vladimir V. Kamarzin
2007-02-09 8:41 ` Mikhail Yakshin
2007-02-09 9:15 ` Vladimir V. Kamarzin
2007-02-09 9:07 ` Anton Farygin
2007-02-09 10:52 ` Mikhail Yakshin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070210121713.GA17379@lks.home \
--to=lakostis@altlinux.org \
--cc=devel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git