I noticed that too. The necessary CAs are actually installed on Lucid by default though (you just have to tell openssl where to look). Incidentally, wget works fine (without --no-check-certificate):
$ openssl s_client -CApath /etc/ssl/certs -connect cas.ucdavis.edu:443
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwIBAgIDCiCtMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDgxMTA2MjMwNDQ2WhcNMTEwMTA2MjMwNDQ2
WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDjAMBgNVBAcT
BURhdmlzMScwJQYDVQQKEx5Vbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEgRGF2aXMx
DzANBgNVBAsTBklFVC1JUjEYMBYGA1UEAxMPY2FzLnVjZGF2aXMuZWR1MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRT3t20tSOMW9sC+WYk8csHzV6JK+aMGd8
m9NDQtK3bb5STyp1AfuovU2tGKv1YD5HCIs1BzDbbN+XJIrU+zSAdrVdHKp62ZKy
AWTFfwfQ0VWvBz8iKzWVpfiRutUC+RqodMBQ3DqM0YU4RX6cz9L5QFi+hQsCQ+Ha
lKzseuEJnQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUZoEl
UbQzpXvJyk5JVUGmVQu5Ka0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5n
ZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvS
spXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
CSqGSIb3DQEBBQUAA4GBADhAlAHFmemcwilbfWfu2//Os58jzJNCBFPNpS0d+tg4
AQTgR4Ogs7ljbJeo4+2eEnGvLHvPy1El8JkKRexwVhQSymz60Bnkg0oiQ6qIYwML
r5Gfk+liSBpexjZkPp+olFO8u/d+UlW6ZPfI5RTyz5e+InrETFyjgoIJY3y3SnFQ
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2147 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4C116E5221F8596C7B1BE3E4443D427A6234FCE19A12F6E869C3F0C536715A7D
Session-ID-ctx:
Master-Key: C52784FE43D5156FDB3A81670E1BF87585502BC5C38EAE214F2C93285743BB8B050B8B111751A7B16A3784159B6444B3
Key-Arg : None
Start Time: 1276210770
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HEAD / HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: https://casweb3.ucdavis.edu:8443/login
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Thu, 10 Jun 2010 22:59:33 GMT
Connection: close
closed
$ wget https://cas.ucdavis.edu
--2010-06-10 16:01:53-- https://cas.ucdavis.edu/
Resolving cas.ucdavis.edu... 169.237.104.82
Connecting to cas.ucdavis.edu|169.237.104.82|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://cas.ucdavis.edu/login [following]
--2010-06-10 16:01:53-- https://cas.ucdavis.edu/login
Connecting to cas.ucdavis.edu|169.237.104.82|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4796 (4.7K) [text/html]
Saving to: `login'
100%[=========================================================================================================>] 4,796 --.-K/s in 0s
I noticed that too. The necessary CAs are actually installed on Lucid by default though (you just have to tell openssl where to look). Incidentally, wget works fine (without --no-check- certificate) :
$ openssl s_client -CApath /etc/ssl/certs -connect cas.ucdavis.edu:443 Equifax/ OU=Equifax Secure Certificate Authority California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu ST=California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu US/O=Equifax/ OU=Equifax Secure Certificate Authority O=Equifax/ OU=Equifax Secure Certificate Authority US/O=Equifax/ OU=Equifax Secure Certificate Authority BAgIDCiCtMA0GCS qGSIb3DQEBBQUAM E4xCzAJBgNVBAYT AlVT FcXVpZmF4MS0wKw YDVQQLEyRFcXVpZ mF4IFNlY3VyZSBD ZXJ0 ob3JpdHkwHhcNMD gxMTA2MjMwNDQ2W hcNMTEwMTA2MjMw NDQ2 EBhMCVVMxEzARBg NVBAgTCkNhbGlmb 3JuaWExDjAMBgNV BAcT DVQQKEx5Vbml2ZX JzaXR5IG9mIENhb Glmb3JuaWEgRGF2 aXMx FVC1JUjEYMBYGA1 UEAxMPY2FzLnVjZ GF2aXMuZWR1MIGf MA0G AA4GNADCBiQKBgQ DRT3t20tSOMW9sC +WYk8csHzV6JK+ aMGd8 1AfuovU2tGKv1YD 5HCIs1BzDbbN+ XJIrU+zSAdrVdHK p62ZKy iKzWVpfiRutUC+ RqodMBQ3DqM0YU4 RX6cz9L5QFi+ hQsCQ+Ha Bo4GuMIGrMA4GA1 UdDwEB/ wQEAwIE8DAdBgNV HQ4EFgQUZoEl mVQu5Ka0wOgYDVR 0fBDMwMTAvoC2gK 4YpaHR0cDovL2Ny bC5n vY3Jscy9zZWN1cm VjYS5jcmwwHwYDV R0jBBgwFoAUSOZo +SvS Qn9QwHQYDVR0lBB YwFAYIKwYBBQUHA wEGCCsGAQUFBwMC MA0G AA4GBADhAlAHFme mcwilbfWfu2/ /Os58jzJNCBFPNp S0d+tg4 o4+2eEnGvLHvPy1 El8JkKRexwVhQSy mz60Bnkg0oiQ6qI YwML kPp+olFO8u/ d+UlW6ZPfI5RTyz 5e+InrETFyjgoIJ Y3y3SnFQ /C=US/ST= California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu /C=US/O= Equifax/ OU=Equifax Secure Certificate Authority DES-CBC3- SHA DES-CBC3- SHA C7B1BE3E4443D42 7A6234FCE19A12F 6E869C3F0C53671 5A7D FDB3A81670E1BF8 7585502BC5C38EA E214F2C93285743 BB8B050B8B11175 1A7B16A3784159B 6444B3
CONNECTED(00000003)
depth=1 /C=US/O=
verify return:1
depth=0 /C=US/ST=
verify return:1
---
Certificate chain
0 s:/C=US/
i:/C=
1 s:/C=US/
i:/C=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwI
MRAwDgYDVQQKEwd
aWZpY2F0ZSBBdXR
WjCBhjELMAkGA1U
BURhdmlzMScwJQY
DzANBgNVBAsTBkl
CSqGSIb3DQEBAQU
m9NDQtK3bb5STyp
AWTFfwfQ0VWvBz8
lKzseuEJnQIDAQA
UbQzpXvJyk5JVUG
ZW90cnVzdC5jb20
spXXR9gjIBBPM5i
CSqGSIb3DQEBBQU
AQTgR4Ogs7ljbJe
r5Gfk+liSBpexjZ
-----END CERTIFICATE-----
subject=
issuer=
---
No client certificate CA names sent
---
SSL handshake has read 2147 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-
Session-ID: 4C116E5221F8596
Session-ID-ctx:
Master-Key: C52784FE43D5156
Key-Arg : None
Start Time: 1276210770
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HEAD / HTTP/1.0
HTTP/1.1 302 Moved Temporarily /casweb3. ucdavis. edu:8443/ login charset= ISO-8859- 1
Server: Apache-Coyote/1.1
Location: https:/
Content-Type: text/html;
Content-Length: 0
Date: Thu, 10 Jun 2010 22:59:33 GMT
Connection: close
closed /cas.ucdavis. edu /cas.ucdavis. edu/ edu|169. 237.104. 82|:443. .. connected. /cas.ucdavis. edu/login [following] /cas.ucdavis. edu/login edu|169. 237.104. 82|:443. .. connected.
$ wget https:/
--2010-06-10 16:01:53-- https:/
Resolving cas.ucdavis.edu... 169.237.104.82
Connecting to cas.ucdavis.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https:/
--2010-06-10 16:01:53-- https:/
Connecting to cas.ucdavis.
HTTP request sent, awaiting response... 200 OK
Length: 4796 (4.7K) [text/html]
Saving to: `login'
100%[== ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =====>] 4,796 --.-K/s in 0s
2010-06-10 16:01:53 (204 MB/s) - `login' saved [4796/4796]
$