Good day!
Seems like the host lcg-voms.cern.ch does not have CA distribution v. 0.32,
since I am unable to connect to it using my new certificate from RDIG CA,
signed with 2048 bit key that appeared only in 0.32 CA RPMs. The logging info
is the following:
-----
# openssl s_client -host lcg-voms.cern.ch -port 8443 -key hostkey.pem -cert hostcert.pem -CApath certificates -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=CH/O=CERN/OU=GRID/CN=CERN CA
verify return:1
depth=0 /C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:certificate unknown
SSL_connect:failed in SSLv3 read finished A
12634:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1046:SSL alert number 46
12634:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
-----
Could the administrators of the lcg-voms.cern.ch check and tell wheither they
have RDIG CA certificate with hash equal to 55994d72.
I also suspect that many sites still have CA RPMs v. 0.31. I will be very
glad if they will be able to upgrade to 0.32 distribution.
Thanks!
--
rea
|