curl-users
Re: cURL and Iceweasel disagree about TLS certificate validity, despite same CA
From: dev_user <dev_at_cor0.com>
Date: Sat, 28 May 2016 14:36:34 -0400
Date: Sat, 28 May 2016 14:36:34 -0400
> Try to connect by openssl tool (openssl s_client -connect
> profile.mensa.org.uk:https).
I was just about to post this when I saw your post :
$ openssl version
OpenSSL 1.0.2h 3 May 2016
$ openssl s_client -connect profile.mensa.org.uk:443 -tls1
CONNECTED(00000004)
depth=0 OU = GT91227394, OU = See www.rapidssl.com/resources/cps (c)15,
OU = Domain Control Validated - RapidSSL(R), CN = profile.mensa.org.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT91227394, OU = See www.rapidssl.com/resources/cps (c)15,
OU = Domain Control Validated - RapidSSL(R), CN = profile.mensa.org.uk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=GT91227394/OU=See www.rapidssl.com/resources/cps
(c)15/OU=Domain Control Validated - RapidSSL(R)/CN=profile.mensa.org.uk
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEqzCCA5OgAwIBAgIDBiZPMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA4MDUwOTI3MTBaFw0xNjA5MDYxMjI2MDVaMIGYMRMw
EQYDVQQLEwpHVDkxMjI3Mzk0MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEdMBsGA1UEAxMUcHJvZmlsZS5tZW5zYS5v
cmcudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2thGGWiyhSYsc
tRevCluO/RMaC39avDLLHirKU0CB2uK6hOQGdPy+7AcrnoR5plvIoPlXFYR4ZMly
DOqhvlPx+J/oLDNSlabVycQHoZ/snW0Lmnc5sGYDuz/lNQ3WliRRYaY8FJyqI+tl
GgVvfHNibxKNwMWp4RORMhVHjIpqxvyHuS6+JeQqh8kZji1Aw6AmbIpkLdhIVATC
jM38HAET2Vr8dXHplkmRWxHLd7/NavGRKZvz0i63UIEwzgv69THOjmRrgltfZAZr
vgzaLbJ3snJv48Lg0vDb9iK/IHi3VRb4rXgoro0Za4E/h+8DFaZTYGW7kn1g2/9V
hZw/Ki65AgMBAAGjggFMMIIBSDAfBgNVHSMEGDAWgBTDnPP800YINLvORn+gfFvz
4gjLWTBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ndi5zeW1j
ZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3J0MA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYD
VR0RBBgwFoIUcHJvZmlsZS5tZW5zYS5vcmcudWswKwYDVR0fBCQwIjAgoB6gHIYa
aHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcmwwDAYDVR0TAQH/BAIwADBBBgNVHSAE
OjA4MDYGBmeBDAECATAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3dy5yYXBpZHNz
bC5jb20vbGVnYWwwDQYJKoZIhvcNAQELBQADggEBAGw89ReX4SLwTfzgD2DXrH3l
LBkqdWx1jzxB6dypur7Z0Hmpw0R88e/nsyhH6gSWkbyjjce5YXnd8pefvBWzUdTG
H9cd3R52cY4aLT6IUkOTuGDHWO0D9h88L2bgkeMvXw8KEXfPcWUuLTqqyYx52sow
zYa0BjzEz6y3ru2miuFD7XXscHMTIsXl1yNVv4eg1SGtXOVU8Q8P6pjL4UBmPLyd
GRSt+h3WABF2QraLrjPIsjRPgTvN+m0EA7BpgMX5eWuW0obAVaAZxCEjznZ7tsEt
nLwv70GOStXGEKzOrsY5wwThqahMGHt1GBPnfFH828/+tyAka86fy8V//56fBc8=
-----END CERTIFICATE-----
subject=/OU=GT91227394/OU=See www.rapidssl.com/resources/cps
(c)15/OU=Domain Control Validated - RapidSSL(R)/CN=profile.mensa.org.uk
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 1342 bytes and written 510 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
CC0E000003DAFA52DF38FD319DB2F266090EF274195887A18834B796A9F31087
Session-ID-ctx:
Master-Key:
B967B43D961D907EAA032ED7910AADD2AA77468AF261920A5250055443FF17F3154916278E808937274DE154F483AC53
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464460321
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
^C$
looks like a borked site.
Dennis
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-28