From: Jens Lody <jenslody@fedoraproject.org>
To: devel@lists.fedoraproject.org
Sent: Sunday, April 23, 2017 9:49 AM
Subject: Re: Question on koji error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Am Sun, 23 Apr 2017 13:29:30 +0000 (UTC)
schrieb Globe Trotter <itsme_410@yahoo.com>:

>
> $ openssl s_client -showcerts -connect koji.fedoraproject.org:443
>
> gives no errors but
> $ /usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h
> koji.fedoraproject.org -p 443tstclnt: error setting SSL/TLS version
> range : SSL_ERROR_INVALID_VERSION_RANGE: SSL version range is not
> valid.
>
> but does.
> Thanks!aarem
>
>   
You need to restrict the default version-range by adding "-V
tls1.0:" (note the colon):

/usr/lib64/nss/unsupported-tools/tstclnt -CCC -D -b -h

koji.fedoraproject.org -p 443 -V tls1.0:



Thanks! Now, I get a hang at:

......
==== end of certificate chain information ====
subject DN: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
issuer  DN: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
0 cache hits; 1 cache misses, 0 cache not reusable
0 stateless resumes
Received 0 Cert Status items (OCSP stapled data)



Thanks again!