[openssl-users] Why construct so wierd certificate chain for one web site

Jerry OELoo oyljerry at gmail.com
Mon Dec 29 10:00:08 UTC 2014


Thanks Jeffrey & Matt

Now I have a more question, I do not want to make code use tlsv1
method and SSL_set_tlsext_host_name to query all website, I just want
to when encounter this issue, then I will construct tlsv1 and set sni
name to query certificate, So how can I get this kind of information,
or what is correct coding process when support sni and non-sni
webiste. Thanks!

On Mon, Dec 29, 2014 at 5:20 PM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 29/12/14 08:32, Jerry OELoo wrote:
>> Hi.
>> I am using X509_STORE_CTX_get1_chain() to construct certificate chain
>> base on local root ca store. Now it works fine.
>>
>> But when I access this website, https://www.sgetvous.societegenerale.fr/
>> I get a very strange result.
>>
>> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20]
>> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27]
>> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard
>> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27]
>>
>> as above, CN points to *.talkspirit.com, what's this?
>>
>> But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr
>> query result is same as browser shown, certificate is signed by
>> VeriSign.
>>
>> What's the problem, Thanks!
>>
>>
> You need to call SSL_set_tlsext_host_name. If I connect to the above
> server using:
> openssl s_client -connect www.sgetvous.societegenerale.fr:443
>
> Then I get the above certificate. If however I connect using:
> openssl s_client -connect www.sgetvous.societegenerale.fr:443
> -servername www.sgetvous.societegenerale.fr
>
> I get the correct one. The server is using SNI so needs to know the
> hostname you are trying to connect to in order to provide you with the
> correct certificate.
>
> Matt
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users



-- 
Rejoice,I Desire!


More information about the openssl-users mailing list