true if he got
Verify return code: 20 (unable to get local issuer certificate)
else his certificates might just be outdated ;) .. ede/duply.net
On 03.06.2014 20:00, Kenneth Loafman wrote:
> I found an error in the way you are running the openssl command, it should
> include the -CAcert option. See the man page for s_client. Running with
> that yields a clean verification:
>
> ken@stealth:~$ openssl s_client -CApath /etc/ssl/certs -connect
> s3-1-w.amazonaws.com:443
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.
> s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFQTCCBCmgAwIBAgIQGHBX7tZDXzmvfSkeROrx7DANBgkqhkiG9w0BAQUFADCB
> tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
> YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
> VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDA5
> MDAwMDAwWhcNMTUwNDA5MjM1OTU5WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
> V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
> bSBJbmMuMRswGQYDVQQDFBIqLnMzLmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQCyIdaCeebmUg7oowAEkJOGAkE9KA7f/Kpsbexn
> sD0v/W2Hbq7Kmys8LD9bs6RX4YNIr/Cx0i4gQlymmVXy/OhgrvSpl/lbmHzFXF30
> UF2/L6NWkbkca2QbmolYBjYHngblx/gRQw6XGSui2Ql8q6W5IOz1EyHUZOhcr5W8
> x76JtY4r5/uav+2WO9pgtGEL4aROQfE7R/399OvkUCabcTvaG9N0TMBLTdB/mWyD
> GlnHSwWl67lH1HPr429iz/2cPP7l3eq1V1PNq25w5JCV2kySmq5d0XKt4cy5mMh/
> Og2vcwyj31u8B4fzyGWxQAXLs10wWF9xdVNHrJwoBD9jeiWDAgMBAAGjggGUMIIB
> kDAJBgNVHRMEAjAAMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUF
> BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMEUGA1UdHwQ+MDwwOqA4
> oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1
> cmVHMy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
> MBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
> BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRw
> Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
> MA4GA1UdDwEB/wQEAwIFoDAvBgNVHREEKDAmghIqLnMzLmFtYXpvbmF3cy5jb22C
> EHMzLmFtYXpvbmF3cy5jb20wDQYJKoZIhvcNAQEFBQADggEBAD2yDlI/JHDW9LNT
> rsvy1lnS8H0IT8Zc+z9Imd5zEEqBs2G1beCtM9U4o/MDEao95DWfRck3Gx428fPv
> bsabSwJHtSpGLQiWi/UwnxN0p5Lz6tQVaglBqlsvm4ZGHdS94hSaYwd4nUZ+Wpo8
> hhCk44lVjwD0hTqr4G08XQiS/mlOY2422zo6+ULw+YG6ocMtVTe+VsL3V7dLRYgN
> wV15Z5GLL4f50hbUHQAjdFHMtDkIQTWu0l7SJB6ueQBxoBNJoHC89IZMom0Oy9WL
> 1UNYgBTsad76ql/K3feTPJodalB1RXbEwSgc4pAC1/rtlfoZewZvNqANMxYc7k7G
> ufhUTyk=
> -----END CERTIFICATE-----
> subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
> s3.amazonaws.com
> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4276 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.1
> Cipher : AES256-SHA
> Session-ID:
> 538E0CFFE31F404D0B9994DEC11E1249A244DC631FB67EEBEBBC6BDB2E14A25A
> Session-ID-ctx:
> Master-Key:
> 9024ACE1AFF9E4A9B71EABE1A8FCADD8FC99C9E4DE094DC0412D63614F9378D47BC8718C698DC5E34BA89926246503BE
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1401818367
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
>
> On Tue, Jun 3, 2014 at 8:21 AM, Vincent Danen <email address hidden>
> wrote:
>
>> Anything further on this? It's been a few weeks and we'd like to make
>> this public so we're not sitting on it forever. If there is no
>> objection, we would like to open our bug on June 11, 2014 at about 16:00
>> UTC, although ideally we'd like to do so with some guidance for a fix or
>> patch.
>>
>> Thanks.
>>
>> --
>> You received this bug notification because you are subscribed to
>> Duplicity.
>> https://bugs.launchpad.net/bugs/1314234
>>
>> Title:
>> Duplicity does not verify SSL certificate prior to connecting
>>
>> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
>> New
>>
>> Bug description:
>> While doing some testing using deja-dup I noticed that the SSL
>> certificate that Amazon S3 was providing wasn't correct.
>>
>> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
>> CONNECTED(00000003)
>> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify return:1
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5
>> verify return:1
>> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
>> Secure Server CA - G3
>> verify return:1
>> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
>> *.s3.amazonaws.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
>> s3.amazonaws.com
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
>> Unfortunately the domain duplicity was connecting to was
>> s3-1-w.amazonaws.com. Duplicity should have verified that the
>> certificate was valid for the domain it was connected to.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>>
>
true if he got
Verify return code: 20 (unable to get local issuer certificate)
else his certificates might just be outdated ;) .. ede/duply.net
On 03.06.2014 20:00, Kenneth Loafman wrote: amazonaws. com:443 /www.verisign. com/rpa (c)10, CN = VeriSign Class 3 ST=Washington/ L=Seattle/ O=Amazon. com Inc./CN= *.s3.amazonaws. com /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 BAgIQGHBX7tZDXz mvfSkeROrx7DANB gkqhkiG9w0BAQUF ADCB CVVMxFzAVBgNVBA oTDlZlcmlTaWduL CBJbmMuMR8wHQYD VQQL UcnVzdCBOZXR3b3 JrMTswOQYDVQQLE zJUZXJtcyBvZiB1 c2Ug 3d3cudmVyaXNpZ2 4uY29tL3JwYSAoY ykxMDEvMC0GA1UE AxMm hc3MgMyBTZWN1cm UgU2VydmVyIENBI C0gRzMwHhcNMTQw NDA5 wNDA5MjM1OTU5Wj BrMQswCQYDVQQGE wJVUzETMBEGA1UE CBMK QMA4GA1UEBxQHU2 VhdHRsZTEYMBYGA 1UEChQPQW1hem9u LmNv DVQQDFBIqLnMzLm FtYXpvbmF3cy5jb 20wggEiMA0GCSqG SIb3 wggEKAoIBAQCyId aCeebmUg7oowAEk JOGAkE9KA7f/ Kpsbexn 8LD9bs6RX4YNIr/ Cx0i4gQlymmVXy/ OhgrvSpl/ lbmHzFXF30 bmolYBjYHngblx/ gRQw6XGSui2Ql8q 6W5IOz1EyHUZOhc r5W8 uav+2WO9pgtGEL4 aROQfE7R/ 399OvkUCabcTvaG 9N0TMBLTdB/ mWyD r429iz/ 2cPP7l3eq1V1PNq 25w5JCV2kySmq5d 0XKt4cy5mMh/ zyGWxQAXLs10wWF 9xdVNHrJwoBD9je iWDAgMBAAGjggGU MIIB AMEMGA1UdIAQ8MD owOAYKYIZIAYb4R QEHNjAqMCgGCCsG AQUF vL3d3dy52ZXJpc2 lnbi5jb20vY3BzM EUGA1UdHwQ+ MDwwOqA4 TVlJTZWN1cmUtRz MtY3JsLnZlcmlza WduLmNvbS9TVlJT ZWN1 DVR0lBBYwFAYIKw YBBQUHAwEGCCsGA QUFBwMCMB8GA1Ud IwQY Cfh0gqyX0AWPYvn mlMHYGCCsGAQUFB wEBBGowaDAkBggr BgEF vL29jc3AudmVyaX NpZ24uY29tMEAGC CsGAQUFBzAChjRo dHRw lLUczLWFpYS52ZX Jpc2lnbi5jb20vU 1ZSU2VjdXJlRzMu Y2Vy wQEAwIFoDAvBgNV HREEKDAmghIqLnM zLmFtYXpvbmF3cy 5jb22C 3cy5jb20wDQYJKo ZIhvcNAQEFBQADg gEBAD2yDlI/ JHDW9LNT c+z9Imd5zEEqBs2 G1beCtM9U4o/ MDEao95DWfRck3G x428fPv Wi/UwnxN0p5Lz6t QVaglBqlsvm4ZGH dS94hSaYwd4nUZ+ Wpo8 r4G08XQiS/ mlOY2422zo6+ ULw+YG6ocMtVTe+ VsL3V7dLRYgN UHQAjdFHMtDkIQT Wu0l7SJB6ueQBxo BNJoHC89IZMom0O y9WL K3feTPJodalB1RX bEwSgc4pAC1/ rtlfoZewZvNqANM xYc7k7G /C=US/ST= Washington/ L=Seattle/ O=Amazon. com Inc./CN=*. /C=US/O= VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 D0B9994DEC11E12 49A244DC631FB67 EEBEBBC6BDB2E14 A25A 9B71EABE1A8FCAD D8FC99C9E4DE094 DC0412D63614F93 78D47BC8718C698 DC5E34BA8992624 6503BE /bugs.launchpad .net/bugs/ 1314234 amazonaws. com:443 -crlf /www.verisign. com/rpa (c)10, CN = VeriSign Class 3 ST=Washington/ L=Seattle/ O=Amazon. com Inc./CN=*. /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - amazonaws. com. Duplicity should have verified that the /bugs.launchpad .net/duplicity/ +bug/1314234/ +subscriptions
> I found an error in the way you are running the openssl command, it should
> include the -CAcert option. See the man page for s_client. Running with
> that yields a clean verification:
>
> ken@stealth:~$ openssl s_client -CApath /etc/ssl/certs -connect
> s3-1-w.
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https:/
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.
> s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https:/
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https:/
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFQTCCBCmgAwI
> tTELMAkGA1UEBhM
> ExZWZXJpU2lnbiB
> YXQgaHR0cHM6Ly9
> VmVyaVNpZ24gQ2x
> MDAwMDAwWhcNMTU
> V2FzaGluZ3RvbjE
> bSBJbmMuMRswGQY
> DQEBAQUAA4IBDwA
> sD0v/W2Hbq7Kmys
> UF2/L6NWkbkca2Q
> x76JtY4r5/
> GlnHSwWl67lH1HP
> Og2vcwyj31u8B4f
> kDAJBgNVHRMEAjA
> BwIBFhxodHRwczo
> oDaGNGh0dHA6Ly9
> cmVHMy5jcmwwHQY
> MBaAFA1EXBZTRMG
> BQcwAYYYaHR0cDo
> Oi8vU1ZSU2VjdXJ
> MA4GA1UdDwEB/
> EHMzLmFtYXpvbmF
> rsvy1lnS8H0IT8Z
> bsabSwJHtSpGLQi
> hhCk44lVjwD0hTq
> wV15Z5GLL4f50hb
> 1UNYgBTsad76ql/
> ufhUTyk=
> -----END CERTIFICATE-----
> subject=
> s3.amazonaws.com
> issuer=
> https:/
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4276 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.1
> Cipher : AES256-SHA
> Session-ID:
> 538E0CFFE31F404
> Session-ID-ctx:
> Master-Key:
> 9024ACE1AFF9E4A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1401818367
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
>
> On Tue, Jun 3, 2014 at 8:21 AM, Vincent Danen <email address hidden>
> wrote:
>
>> Anything further on this? It's been a few weeks and we'd like to make
>> this public so we're not sitting on it forever. If there is no
>> objection, we would like to open our bug on June 11, 2014 at about 16:00
>> UTC, although ideally we'd like to do so with some guidance for a fix or
>> patch.
>>
>> Thanks.
>>
>> --
>> You received this bug notification because you are subscribed to
>> Duplicity.
>> https:/
>>
>> Title:
>> Duplicity does not verify SSL certificate prior to connecting
>>
>> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
>> New
>>
>> Bug description:
>> While doing some testing using deja-dup I noticed that the SSL
>> certificate that Amazon S3 was providing wasn't correct.
>>
>> $ openssl s_client -connect s3-1-w.
>> CONNECTED(00000003)
>> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify return:1
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5
>> verify return:1
>> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> Terms of use at https:/
>> Secure Server CA - G3
>> verify return:1
>> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
>> *.s3.amazonaws.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/
>> s3.amazonaws.com
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https:/
>> G3
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https:/
>> G3
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
>> Unfortunately the domain duplicity was connecting to was
>> s3-1-w.
>> certificate was valid for the domain it was connected to.
>>
>> To manage notifications about this bug go to:
>> https:/
>>
>