[openssl-users] Why construct so wierd certificate chain for one web site
Jeffrey Walton
noloader at gmail.com
Mon Dec 29 08:43:44 UTC 2014
On Mon, Dec 29, 2014 at 3:32 AM, Jerry OELoo <oyljerry at gmail.com> wrote:
> Hi.
> I am using X509_STORE_CTX_get1_chain() to construct certificate chain
> base on local root ca store. Now it works fine.
>
> But when I access this website, https://www.sgetvous.societegenerale.fr/
> I get a very strange result.
>
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20]
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27]
> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard
> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27]
>
> as above, CN points to *.talkspirit.com, what's this?
>
Use TLS with SNI rather than SSLv3.
*****
riemann::Desktop$ openssl s_client -tls1 -connect
www.sgetvous.societegenerale.fr:443 -servername
www.sgetvous.societegenerale.fr | openssl x509 -text -noout
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign
Class 3 Secure Server CA - G3
Validity
Not Before: Nov 27 00:00:00 2014 GMT
Not After : Nov 27 23:59:59 2016 GMT
Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale,
OU=Securite Production, CN=www.sgetvous.societegenerale.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7:
0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b:
0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e:
38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6:
04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a:
bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27:
a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74:
a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d:
5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17:
03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15:
1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35:
e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc:
73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2:
b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57:
c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a:
c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44:
2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6:
9d:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.sgetvous.societegenerale.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 CRL Distribution Points:
Full Name:
URI:http://sd.symcb.com/sd.crl
Authority Information Access:
OCSP - URI:http://sd.symcd.com
CA Issuers - URI:http://sd.symcb.com/sd.crt
Signature Algorithm: sha1WithRSAEncryption
6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84:
11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0:
51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e:
e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6:
3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5:
4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61:
bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2:
98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c:
88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba:
0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9:
11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df:
49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71:
6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2:
6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f:
8d:23:77:51
*****
riemann::Desktop$ openssl s_client -tls1 -connect
www.sgetvous.societegenerale.fr:443 -servername
www.sgetvous.societegenerale.fr | openssl x509 -text -noout
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign
Class 3 Secure Server CA - G3
Validity
Not Before: Nov 27 00:00:00 2014 GMT
Not After : Nov 27 23:59:59 2016 GMT
Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale,
OU=Securite Production, CN=www.sgetvous.societegenerale.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7:
0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b:
0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e:
38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6:
04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a:
bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27:
a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74:
a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d:
5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17:
03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15:
1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35:
e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc:
73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2:
b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57:
c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a:
c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44:
2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6:
9d:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.sgetvous.societegenerale.fr
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 CRL Distribution Points:
Full Name:
URI:http://sd.symcb.com/sd.crl
Authority Information Access:
OCSP - URI:http://sd.symcd.com
CA Issuers - URI:http://sd.symcb.com/sd.crt
Signature Algorithm: sha1WithRSAEncryption
6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84:
11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0:
51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e:
e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6:
3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5:
4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61:
bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2:
98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c:
88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba:
0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9:
11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df:
49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71:
6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2:
6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f:
8d:23:77:51
More information about the openssl-users
mailing list