Comment 8 for bug 1314234

true if he got
 Verify return code: 20 (unable to get local issuer certificate)

else his certificates might just be outdated ;) .. ede/duply.net

On 03.06.2014 20:00, Kenneth Loafman wrote:
> I found an error in the way you are running the openssl command, it should
> include the -CAcert option. See the man page for s_client. Running with
> that yields a clean verification:
>
> ken@stealth:~$ openssl s_client -CApath /etc/ssl/certs -connect
> s3-1-w.amazonaws.com:443
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.
> s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFQTCCBCmgAwIBAgIQGHBX7tZDXzmvfSkeROrx7DANBgkqhkiG9w0BAQUFADCB
> tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
> YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
> VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDA5
> MDAwMDAwWhcNMTUwNDA5MjM1OTU5WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
> V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
> bSBJbmMuMRswGQYDVQQDFBIqLnMzLmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQCyIdaCeebmUg7oowAEkJOGAkE9KA7f/Kpsbexn
> sD0v/W2Hbq7Kmys8LD9bs6RX4YNIr/Cx0i4gQlymmVXy/OhgrvSpl/lbmHzFXF30
> UF2/L6NWkbkca2QbmolYBjYHngblx/gRQw6XGSui2Ql8q6W5IOz1EyHUZOhcr5W8
> x76JtY4r5/uav+2WO9pgtGEL4aROQfE7R/399OvkUCabcTvaG9N0TMBLTdB/mWyD
> GlnHSwWl67lH1HPr429iz/2cPP7l3eq1V1PNq25w5JCV2kySmq5d0XKt4cy5mMh/
> Og2vcwyj31u8B4fzyGWxQAXLs10wWF9xdVNHrJwoBD9jeiWDAgMBAAGjggGUMIIB
> kDAJBgNVHRMEAjAAMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUF
> BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMEUGA1UdHwQ+MDwwOqA4
> oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1
> cmVHMy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
> MBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
> BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRw
> Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
> MA4GA1UdDwEB/wQEAwIFoDAvBgNVHREEKDAmghIqLnMzLmFtYXpvbmF3cy5jb22C
> EHMzLmFtYXpvbmF3cy5jb20wDQYJKoZIhvcNAQEFBQADggEBAD2yDlI/JHDW9LNT
> rsvy1lnS8H0IT8Zc+z9Imd5zEEqBs2G1beCtM9U4o/MDEao95DWfRck3Gx428fPv
> bsabSwJHtSpGLQiWi/UwnxN0p5Lz6tQVaglBqlsvm4ZGHdS94hSaYwd4nUZ+Wpo8
> hhCk44lVjwD0hTqr4G08XQiS/mlOY2422zo6+ULw+YG6ocMtVTe+VsL3V7dLRYgN
> wV15Z5GLL4f50hbUHQAjdFHMtDkIQTWu0l7SJB6ueQBxoBNJoHC89IZMom0Oy9WL
> 1UNYgBTsad76ql/K3feTPJodalB1RXbEwSgc4pAC1/rtlfoZewZvNqANMxYc7k7G
> ufhUTyk=
> -----END CERTIFICATE-----
> subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
> s3.amazonaws.com
> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4276 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.1
> Cipher : AES256-SHA
> Session-ID:
> 538E0CFFE31F404D0B9994DEC11E1249A244DC631FB67EEBEBBC6BDB2E14A25A
> Session-ID-ctx:
> Master-Key:
> 9024ACE1AFF9E4A9B71EABE1A8FCADD8FC99C9E4DE094DC0412D63614F9378D47BC8718C698DC5E34BA89926246503BE
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1401818367
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
>
> On Tue, Jun 3, 2014 at 8:21 AM, Vincent Danen <email address hidden>
> wrote:
>
>> Anything further on this? It's been a few weeks and we'd like to make
>> this public so we're not sitting on it forever. If there is no
>> objection, we would like to open our bug on June 11, 2014 at about 16:00
>> UTC, although ideally we'd like to do so with some guidance for a fix or
>> patch.
>>
>> Thanks.
>>
>> --
>> You received this bug notification because you are subscribed to
>> Duplicity.
>> https://bugs.launchpad.net/bugs/1314234
>>
>> Title:
>> Duplicity does not verify SSL certificate prior to connecting
>>
>> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
>> New
>>
>> Bug description:
>> While doing some testing using deja-dup I noticed that the SSL
>> certificate that Amazon S3 was providing wasn't correct.
>>
>> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
>> CONNECTED(00000003)
>> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify return:1
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5
>> verify return:1
>> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
>> Secure Server CA - G3
>> verify return:1
>> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
>> *.s3.amazonaws.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
>> s3.amazonaws.com
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
>> Unfortunately the domain duplicity was connecting to was
>> s3-1-w.amazonaws.com. Duplicity should have verified that the
>> certificate was valid for the domain it was connected to.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>>
>