On Mon, Dec 29, 2014 at 3:32 AM, Jerry OELoo <oyljerry at gmail.com> wrote: > Hi. > I am using X509_STORE_CTX_get1_chain() to construct certificate chain > base on local root ca store. Now it works fine. > > But when I access this website, https://www.sgetvous.societegenerale.fr/ > I get a very strange result. > > Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] > Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] > Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard > Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] > > as above, CN points to *.talkspirit.com, what's this? > Use TLS with SNI rather than SSLv3. ***** riemann::Desktop$ openssl s_client -tls1 -connect www.sgetvous.societegenerale.fr:443 -servername www.sgetvous.societegenerale.fr | openssl x509 -text -noout depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=27:certificate not trusted verify return:1 depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=21:unable to verify the first certificate verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3 Validity Not Before: Nov 27 00:00:00 2014 GMT Not After : Nov 27 23:59:59 2016 GMT Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale, OU=Securite Production, CN=www.sgetvous.societegenerale.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7: 0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b: 0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e: 38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6: 04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a: bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27: a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74: a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d: 5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17: 03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15: 1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35: e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc: 73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2: b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57: c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a: c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44: 2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6: 9d:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.sgetvous.societegenerale.fr X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: https://d.symcb.com/cps User Notice: Explicit Text: https://d.symcb.com/rpa X509v3 Authority Key Identifier: keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5 X509v3 CRL Distribution Points: Full Name: URI:http://sd.symcb.com/sd.crl Authority Information Access: OCSP - URI:http://sd.symcd.com CA Issuers - URI:http://sd.symcb.com/sd.crt Signature Algorithm: sha1WithRSAEncryption 6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84: 11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0: 51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e: e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6: 3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5: 4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61: bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2: 98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c: 88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba: 0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9: 11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df: 49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71: 6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2: 6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f: 8d:23:77:51 ***** riemann::Desktop$ openssl s_client -tls1 -connect www.sgetvous.societegenerale.fr:443 -servername www.sgetvous.societegenerale.fr | openssl x509 -text -noout depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=27:certificate not trusted verify return:1 depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale, OU = Securite Production, CN = www.sgetvous.societegenerale.fr verify error:num=21:unable to verify the first certificate verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3 Validity Not Before: Nov 27 00:00:00 2014 GMT Not After : Nov 27 23:59:59 2016 GMT Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale, OU=Securite Production, CN=www.sgetvous.societegenerale.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7: 0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b: 0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e: 38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6: 04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a: bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27: a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74: a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d: 5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17: 03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15: 1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35: e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc: 73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2: b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57: c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a: c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44: 2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6: 9d:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.sgetvous.societegenerale.fr X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: https://d.symcb.com/cps User Notice: Explicit Text: https://d.symcb.com/rpa X509v3 Authority Key Identifier: keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5 X509v3 CRL Distribution Points: Full Name: URI:http://sd.symcb.com/sd.crl Authority Information Access: OCSP - URI:http://sd.symcd.com CA Issuers - URI:http://sd.symcb.com/sd.crt Signature Algorithm: sha1WithRSAEncryption 6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84: 11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0: 51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e: e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6: 3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5: 4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61: bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2: 98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c: 88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba: 0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9: 11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df: 49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71: 6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2: 6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f: 8d:23:77:51
