[openssl-users] Why construct so wierd certificate chain for one web site

Matt Caswell matt at openssl.org
Mon Dec 29 09:20:22 UTC 2014



On 29/12/14 08:32, Jerry OELoo wrote:
> Hi.
> I am using X509_STORE_CTX_get1_chain() to construct certificate chain
> base on local root ca store. Now it works fine.
> 
> But when I access this website, https://www.sgetvous.societegenerale.fr/
> I get a very strange result.
> 
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20]
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27]
> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard
> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27]
> 
> as above, CN points to *.talkspirit.com, what's this?
> 
> But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr
> query result is same as browser shown, certificate is signed by
> VeriSign.
> 
> What's the problem, Thanks!
> 
> 
You need to call SSL_set_tlsext_host_name. If I connect to the above
server using:
openssl s_client -connect www.sgetvous.societegenerale.fr:443

Then I get the above certificate. If however I connect using:
openssl s_client -connect www.sgetvous.societegenerale.fr:443
-servername www.sgetvous.societegenerale.fr

I get the correct one. The server is using SNI so needs to know the
hostname you are trying to connect to in order to provide you with the
correct certificate.

Matt


More information about the openssl-users mailing list