[openssl-users] Why construct so wierd certificate chain for one web site

Jeffrey Walton noloader at gmail.com
Mon Dec 29 08:49:02 UTC 2014 

On Mon, Dec 29, 2014 at 3:43 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Mon, Dec 29, 2014 at 3:32 AM, Jerry OELoo <oyljerry at gmail.com> wrote:
>> Hi.
>> I am using X509_STORE_CTX_get1_chain() to construct certificate chain
>> base on local root ca store. Now it works fine.
>>
>> But when I access this website, https://www.sgetvous.societegenerale.fr/
>> I get a very strange result.
>>
>> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20]
>> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27]
>> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard
>> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27]
>>
>> as above, CN points to *.talkspirit.com, what's this?
>>
>
> Use TLS with SNI rather than SSLv3.
>

My bad... Here's the SSLv3 try....

riemann::Desktop$ openssl s_client -ssl3 -connect
www.sgetvous.societegenerale.fr:443 | openssl x509 -text -noout
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:71:4e:18:43:1a:1a:fd:d6:cb:1a:f2:0b:bd:bc:21
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
        Validity
            Not Before: Aug 25 00:00:00 2014 GMT
            Not After : Sep  7 23:59:59 2016 GMT
        Subject: OU=Domain Control Validated, OU=Gandi Standard
Wildcard SSL, CN=*.talkspirit.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:78:b4:36:77:fc:7b:a4:e7:05:54:24:e6:c3:
                    a1:c8:53:9b:00:9e:70:65:81:85:0e:8c:60:f4:f6:
                    03:18:f3:14:c7:14:3b:e4:a8:d1:2e:fc:73:a7:49:
                    76:c5:27:e9:5b:6b:a4:56:07:0d:93:a1:27:0b:c5:
                    d9:8e:bb:84:7b:c8:40:07:1c:29:88:f1:56:81:82:
                    b6:ea:20:4a:cf:ca:3c:fd:85:0e:ac:bd:74:10:71:
                    7a:66:76:64:3c:0b:51:47:32:c6:c2:32:82:a9:79:
                    69:5e:12:47:34:50:5f:30:62:5d:24:0e:9d:63:45:
                    c9:72:9e:75:07:b6:fe:0a:c6:e1:a4:10:a5:2a:57:
                    4c:0f:f2:79:c5:24:36:55:cc:e3:0c:32:b8:f4:61:
                    53:53:6f:75:dd:53:5a:2c:59:cf:b9:2a:2c:94:53:
                    8d:db:04:90:6d:bf:1b:2d:3f:35:aa:98:53:78:d6:
                    a3:c4:d8:62:ad:80:da:8a:28:b9:e4:00:fa:2b:e3:
                    f2:78:f8:5b:6f:71:9b:83:d1:84:98:ab:53:c5:73:
                    0e:4f:89:4d:9b:2f:0e:fb:ce:21:04:ed:32:08:6c:
                    a5:33:13:81:2a:b3:63:94:ae:15:2b:e6:eb:27:30:
                    4b:0a:6f:8d:32:63:5a:db:8c:89:04:76:60:98:c2:
                    43:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:

keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21

            X509v3 Subject Key Identifier:
                AE:E1:E7:5F:C0:7F:3B:09:70:02:82:A0:24:21:A9:56:16:0D:92:68
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.26
                  CPS: http://www.gandi.net/contracts/fr/ssl/cps/pdf/
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.gandi.net/GandiStandardSSLCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.gandi.net/GandiStandardSSLCA.crt
                OCSP - URI:http://ocsp.gandi.net

            X509v3 Subject Alternative Name:
                DNS:*.talkspirit.com, DNS:talkspirit.com
    Signature Algorithm: sha1WithRSAEncryption
         b5:8e:b6:8a:84:c3:c8:76:a9:48:37:60:ed:70:c9:33:91:fe:
         ee:1a:60:7b:68:71:71:30:e1:a1:cd:b9:4e:c2:36:b3:50:cf:
         d6:20:9f:a1:e0:4e:12:9c:89:19:6c:ce:9a:b4:18:7d:f1:ca:
         e0:d8:21:ac:b5:d4:51:b3:25:af:3d:6e:5e:29:65:6a:22:ac:
         ec:8a:cd:50:d0:28:12:ee:2c:6d:a9:e5:98:c1:d6:6d:05:8e:
         9b:f2:38:7f:18:83:17:1f:35:b1:f9:66:6f:85:05:ca:32:39:
         d5:e0:6a:82:18:8b:3d:e7:b7:27:4f:8e:d2:b9:f4:da:69:2d:
         1d:0b:7f:69:cf:e2:5d:4c:66:e8:59:c0:be:8b:c2:22:31:4d:
         66:d7:e3:c0:a6:71:e6:d2:4b:fd:4b:00:f7:5c:b5:f1:9a:90:
         80:72:ba:19:ef:0b:0f:e9:8f:b5:dc:29:d3:0c:ff:ee:04:92:
         63:bd:93:de:98:72:f1:94:8d:22:6d:d7:c0:f4:0f:47:4f:7b:
         8c:5d:12:ea:72:00:fe:6c:76:9c:5a:78:6c:93:b5:47:e2:4f:
         a9:9e:fc:33:f8:8d:a2:db:01:07:eb:55:12:9c:7e:97:02:26:
         0a:0b:53:44:83:74:7c:8e:de:b7:87:d5:88:65:68:14:62:69:
         31:91:4f:3e

More information about the openssl-users mailing list