I found an error in the way you are running the openssl command, it should
include the -CAcert option. See the man page for s_client. Running with
that yields a clean verification:
ken@stealth:~$ openssl s_client -CApath /etc/ssl/certs -connect
s3-1-w.amazonaws.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.
s3.amazonaws.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIQGHBX7tZDXzmvfSkeROrx7DANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDA5
MDAwMDAwWhcNMTUwNDA5MjM1OTU5WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
bSBJbmMuMRswGQYDVQQDFBIqLnMzLmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCyIdaCeebmUg7oowAEkJOGAkE9KA7f/Kpsbexn
sD0v/W2Hbq7Kmys8LD9bs6RX4YNIr/Cx0i4gQlymmVXy/OhgrvSpl/lbmHzFXF30
UF2/L6NWkbkca2QbmolYBjYHngblx/gRQw6XGSui2Ql8q6W5IOz1EyHUZOhcr5W8
x76JtY4r5/uav+2WO9pgtGEL4aROQfE7R/399OvkUCabcTvaG9N0TMBLTdB/mWyD
GlnHSwWl67lH1HPr429iz/2cPP7l3eq1V1PNq25w5JCV2kySmq5d0XKt4cy5mMh/
Og2vcwyj31u8B4fzyGWxQAXLs10wWF9xdVNHrJwoBD9jeiWDAgMBAAGjggGUMIIB
kDAJBgNVHRMEAjAAMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMEUGA1UdHwQ+MDwwOqA4
oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1
cmVHMy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
MBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRw
Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
MA4GA1UdDwEB/wQEAwIFoDAvBgNVHREEKDAmghIqLnMzLmFtYXpvbmF3cy5jb22C
EHMzLmFtYXpvbmF3cy5jb20wDQYJKoZIhvcNAQEFBQADggEBAD2yDlI/JHDW9LNT
rsvy1lnS8H0IT8Zc+z9Imd5zEEqBs2G1beCtM9U4o/MDEao95DWfRck3Gx428fPv
bsabSwJHtSpGLQiWi/UwnxN0p5Lz6tQVaglBqlsvm4ZGHdS94hSaYwd4nUZ+Wpo8
hhCk44lVjwD0hTqr4G08XQiS/mlOY2422zo6+ULw+YG6ocMtVTe+VsL3V7dLRYgN
wV15Z5GLL4f50hbUHQAjdFHMtDkIQTWu0l7SJB6ueQBxoBNJoHC89IZMom0Oy9WL
1UNYgBTsad76ql/K3feTPJodalB1RXbEwSgc4pAC1/rtlfoZewZvNqANMxYc7k7G
ufhUTyk=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
s3.amazonaws.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4276 bytes and written 567 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID:
538E0CFFE31F404D0B9994DEC11E1249A244DC631FB67EEBEBBC6BDB2E14A25A
Session-ID-ctx:
Master-Key:
9024ACE1AFF9E4A9B71EABE1A8FCADD8FC99C9E4DE094DC0412D63614F9378D47BC8718C698DC5E34BA89926246503BE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1401818367
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
On Tue, Jun 3, 2014 at 8:21 AM, Vincent Danen <email address hidden>
wrote:
> Anything further on this? It's been a few weeks and we'd like to make
> this public so we're not sitting on it forever. If there is no
> objection, we would like to open our bug on June 11, 2014 at about 16:00
> UTC, although ideally we'd like to do so with some guidance for a fix or
> patch.
>
> Thanks.
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1314234
>
> Title:
> Duplicity does not verify SSL certificate prior to connecting
>
> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
> New
>
> Bug description:
> While doing some testing using deja-dup I noticed that the SSL
> certificate that Amazon S3 was providing wasn't correct.
>
> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
> *.s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
> s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
> Unfortunately the domain duplicity was connecting to was
> s3-1-w.amazonaws.com. Duplicity should have verified that the
> certificate was valid for the domain it was connected to.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>
I found an error in the way you are running the openssl command, it should
include the -CAcert option. See the man page for s_client. Running with
that yields a clean verification:
ken@stealth:~$ openssl s_client -CApath /etc/ssl/certs -connect amazonaws. com:443 /www.verisign. com/rpa (c)10, CN = VeriSign Class 3 ST=Washington/ L=Seattle/ O=Amazon. com Inc./CN= *.s3.amazonaws. com US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification BAgIQGHBX7tZDXz mvfSkeROrx7DANB gkqhkiG9w0BAQUF ADCB CVVMxFzAVBgNVBA oTDlZlcmlTaWduL CBJbmMuMR8wHQYD VQQL UcnVzdCBOZXR3b3 JrMTswOQYDVQQLE zJUZXJtcyBvZiB1 c2Ug 3d3cudmVyaXNpZ2 4uY29tL3JwYSAoY ykxMDEvMC0GA1UE AxMm hc3MgMyBTZWN1cm UgU2VydmVyIENBI C0gRzMwHhcNMTQw NDA5 wNDA5MjM1OTU5Wj BrMQswCQYDVQQGE wJVUzETMBEGA1UE CBMK QMA4GA1UEBxQHU2 VhdHRsZTEYMBYGA 1UEChQPQW1hem9u LmNv DVQQDFBIqLnMzLm FtYXpvbmF3cy5jb 20wggEiMA0GCSqG SIb3 wggEKAoIBAQCyId aCeebmUg7oowAEk JOGAkE9KA7f/ Kpsbexn 8LD9bs6RX4YNIr/ Cx0i4gQlymmVXy/ OhgrvSpl/ lbmHzFXF30 bmolYBjYHngblx/ gRQw6XGSui2Ql8q 6W5IOz1EyHUZOhc r5W8 uav+2WO9pgtGEL4 aROQfE7R/ 399OvkUCabcTvaG 9N0TMBLTdB/ mWyD r429iz/ 2cPP7l3eq1V1PNq 25w5JCV2kySmq5d 0XKt4cy5mMh/ zyGWxQAXLs10wWF 9xdVNHrJwoBD9je iWDAgMBAAGjggGU MIIB AMEMGA1UdIAQ8MD owOAYKYIZIAYb4R QEHNjAqMCgGCCsG AQUF vL3d3dy52ZXJpc2 lnbi5jb20vY3BzM EUGA1UdHwQ+ MDwwOqA4 TVlJTZWN1cmUtRz MtY3JsLnZlcmlza WduLmNvbS9TVlJT ZWN1 DVR0lBBYwFAYIKw YBBQUHAwEGCCsGA QUFBwMCMB8GA1Ud IwQY Cfh0gqyX0AWPYvn mlMHYGCCsGAQUFB wEBBGowaDAkBggr BgEF vL29jc3AudmVyaX NpZ24uY29tMEAGC CsGAQUFBzAChjRo dHRw lLUczLWFpYS52ZX Jpc2lnbi5jb20vU 1ZSU2VjdXJlRzMu Y2Vy wQEAwIFoDAvBgNV HREEKDAmghIqLnM zLmFtYXpvbmF3cy 5jb22C 3cy5jb20wDQYJKo ZIhvcNAQEFBQADg gEBAD2yDlI/ JHDW9LNT c+z9Imd5zEEqBs2 G1beCtM9U4o/ MDEao95DWfRck3G x428fPv Wi/UwnxN0p5Lz6t QVaglBqlsvm4ZGH dS94hSaYwd4nUZ+ Wpo8 r4G08XQiS/ mlOY2422zo6+ ULw+YG6ocMtVTe+ VsL3V7dLRYgN UHQAjdFHMtDkIQT Wu0l7SJB6ueQBxo BNJoHC89IZMom0O y9WL K3feTPJodalB1RX bEwSgc4pAC1/ rtlfoZewZvNqANM xYc7k7G /C=US/ST= Washington/ L=Seattle/ O=Amazon. com Inc./CN=*. /C=US/O= VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 D0B9994DEC11E12 49A244DC631FB67 EEBEBBC6BDB2E14 A25A 9B71EABE1A8FCAD D8FC99C9E4DE094 DC0412D63614F93 78D47BC8718C698 DC5E34BA8992624 6503BE
s3-1-w.
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https:/
Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.
s3.amazonaws.com
verify return:1
---
Certificate chain
0 s:/C=US/
i:/C=
https:/
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https:/
i:/C=
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
i:/C=
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwI
tTELMAkGA1UEBhM
ExZWZXJpU2lnbiB
YXQgaHR0cHM6Ly9
VmVyaVNpZ24gQ2x
MDAwMDAwWhcNMTU
V2FzaGluZ3RvbjE
bSBJbmMuMRswGQY
DQEBAQUAA4IBDwA
sD0v/W2Hbq7Kmys
UF2/L6NWkbkca2Q
x76JtY4r5/
GlnHSwWl67lH1HP
Og2vcwyj31u8B4f
kDAJBgNVHRMEAjA
BwIBFhxodHRwczo
oDaGNGh0dHA6Ly9
cmVHMy5jcmwwHQY
MBaAFA1EXBZTRMG
BQcwAYYYaHR0cDo
Oi8vU1ZSU2VjdXJ
MA4GA1UdDwEB/
EHMzLmFtYXpvbmF
rsvy1lnS8H0IT8Z
bsabSwJHtSpGLQi
hhCk44lVjwD0hTq
wV15Z5GLL4f50hb
1UNYgBTsad76ql/
ufhUTyk=
-----END CERTIFICATE-----
subject=
s3.amazonaws.com
issuer=
https:/
---
No client certificate CA names sent
---
SSL handshake has read 4276 bytes and written 567 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID:
538E0CFFE31F404
Session-ID-ctx:
Master-Key:
9024ACE1AFF9E4A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1401818367
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
On Tue, Jun 3, 2014 at 8:21 AM, Vincent Danen <email address hidden>
wrote:
> Anything further on this? It's been a few weeks and we'd like to make /bugs.launchpad .net/bugs/ 1314234 amazonaws. com:443 -crlf /www.verisign. com/rpa (c)10, CN = VeriSign Class 3 ST=Washington/ L=Seattle/ O=Amazon. com Inc./CN=*. /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - /www.verisign. com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - amazonaws. com. Duplicity should have verified that the /bugs.launchpad .net/duplicity/ +bug/1314234/ +subscriptions
> this public so we're not sitting on it forever. If there is no
> objection, we would like to open our bug on June 11, 2014 at about 16:00
> UTC, although ideally we'd like to do so with some guidance for a fix or
> patch.
>
> Thanks.
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https:/
>
> Title:
> Duplicity does not verify SSL certificate prior to connecting
>
> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
> New
>
> Bug description:
> While doing some testing using deja-dup I noticed that the SSL
> certificate that Amazon S3 was providing wasn't correct.
>
> $ openssl s_client -connect s3-1-w.
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https:/
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
> *.s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/
> s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https:/
> G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https:/
> G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
> Unfortunately the domain duplicity was connecting to was
> s3-1-w.
> certificate was valid for the domain it was connected to.
>
> To manage notifications about this bug go to:
> https:/
>