Why construct so wierd certificate chain for one web site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 29, 2014 at 3:32 AM, Jerry OELoo <oyljerry at gmail.com> wrote:
> Hi.
> I am using X509_STORE_CTX_get1_chain() to construct certificate chain
> base on local root ca store. Now it works fine.
>
> But when I access this website, https://www.sgetvous.societegenerale.fr/
> I get a very strange result.
>
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20]
> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27]
> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard
> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27]
>
> as above, CN points to *.talkspirit.com, what's this?
>

Use TLS with SNI rather than SSLv3.

*****

riemann::Desktop$ openssl s_client -tls1 -connect
www.sgetvous.societegenerale.fr:443 -servername
www.sgetvous.societegenerale.fr | openssl x509 -text -noout
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign
Class 3 Secure Server CA - G3
        Validity
            Not Before: Nov 27 00:00:00 2014 GMT
            Not After : Nov 27 23:59:59 2016 GMT
        Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale,
OU=Securite Production, CN=www.sgetvous.societegenerale.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7:
                    0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b:
                    0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e:
                    38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6:
                    04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a:
                    bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27:
                    a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74:
                    a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d:
                    5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17:
                    03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15:
                    1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35:
                    e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc:
                    73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2:
                    b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57:
                    c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a:
                    c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44:
                    2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6:
                    9d:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:www.sgetvous.societegenerale.fr
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Authority Key Identifier:

keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://sd.symcb.com/sd.crl

            Authority Information Access:
                OCSP - URI:http://sd.symcd.com
                CA Issuers - URI:http://sd.symcb.com/sd.crt

    Signature Algorithm: sha1WithRSAEncryption
         6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84:
         11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0:
         51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e:
         e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6:
         3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5:
         4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61:
         bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2:
         98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c:
         88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba:
         0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9:
         11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df:
         49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71:
         6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2:
         6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f:
         8d:23:77:51



*****

riemann::Desktop$ openssl s_client -tls1 -connect
www.sgetvous.societegenerale.fr:443 -servername
www.sgetvous.societegenerale.fr | openssl x509 -text -noout
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, ST = Ile de France, L = PARIS, O = Societe Generale,
OU = Securite Production, CN = www.sgetvous.societegenerale.fr
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:3a:0b:8f:89:ce:cc:c1:df:89:0c:f1:66:db:16:79
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign
Class 3 Secure Server CA - G3
        Validity
            Not Before: Nov 27 00:00:00 2014 GMT
            Not After : Nov 27 23:59:59 2016 GMT
        Subject: C=FR, ST=Ile de France, L=PARIS, O=Societe Generale,
OU=Securite Production, CN=www.sgetvous.societegenerale.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:53:1b:28:a8:f4:ff:9a:13:08:f5:5e:6c:f7:
                    0a:e9:6a:a5:da:7c:de:13:97:ef:d9:40:41:2e:6b:
                    0f:32:49:f0:74:95:93:ed:ac:8e:eb:d3:fc:97:3e:
                    38:e6:bf:d7:2b:6d:b3:65:bb:3e:f4:d3:60:8e:d6:
                    04:1e:cc:1f:de:e8:5a:7a:55:b6:c2:18:e6:e1:8a:
                    bd:c1:0d:d7:c0:ee:5e:d6:d9:2e:8b:cf:18:8a:27:
                    a6:d4:bd:2d:74:9b:e1:53:60:e2:9d:d4:28:4f:74:
                    a7:ec:40:33:99:c4:8c:9d:c9:23:74:ae:fa:70:6d:
                    5d:5b:3f:6f:57:fb:53:4a:bd:f5:ed:38:ba:70:17:
                    03:94:50:0d:42:11:22:ef:ce:c8:4d:4c:d5:01:15:
                    1f:46:13:31:e0:8e:39:45:70:e4:c9:cd:5c:aa:35:
                    e9:84:ea:df:15:01:b7:db:46:05:39:ef:0e:3e:fc:
                    73:80:3e:4b:8f:5a:7e:47:fc:51:7a:5d:cd:12:d2:
                    b1:70:d4:b4:ff:ff:a3:b4:12:70:c6:b4:9b:46:57:
                    c1:57:5a:de:a3:45:ba:1d:4c:7e:f2:04:66:e0:0a:
                    c3:6b:43:a6:44:ab:d3:f4:38:89:71:b6:b2:0a:44:
                    2a:77:bb:ba:f2:bc:2d:e6:63:fa:70:a5:e4:c5:d6:
                    9d:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:www.sgetvous.societegenerale.fr
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Authority Key Identifier:

keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://sd.symcb.com/sd.crl

            Authority Information Access:
                OCSP - URI:http://sd.symcd.com
                CA Issuers - URI:http://sd.symcb.com/sd.crt

    Signature Algorithm: sha1WithRSAEncryption
         6b:70:99:e4:13:a1:70:63:2f:0b:99:b7:a3:7e:e5:53:6c:84:
         11:31:5e:cb:0b:9d:0e:28:7a:ad:21:6b:24:25:63:cf:a9:d0:
         51:18:3d:22:01:26:a8:21:11:63:7d:a0:f1:ba:7c:72:27:6e:
         e7:af:60:45:9e:5b:7b:c5:f1:50:6a:8f:fe:68:d1:e8:bd:c6:
         3a:58:78:91:ea:ce:1d:4d:7d:9d:8c:b1:63:70:6a:c2:e0:e5:
         4e:ef:66:60:b2:43:28:e9:45:5e:88:4a:8e:01:b0:da:73:61:
         bc:9e:52:c7:37:f4:ee:da:36:b0:4f:4a:49:11:b0:b5:1b:c2:
         98:7b:0a:a5:cb:e7:07:20:8d:cb:e0:00:bc:b9:15:bc:2e:5c:
         88:95:8c:d8:84:3c:b2:1c:a6:9a:c0:9b:b7:3f:63:e1:68:ba:
         0f:80:24:65:6f:c0:ca:a4:18:50:22:2b:50:02:2f:ff:fe:e9:
         11:b3:a5:54:34:01:f1:7a:13:53:80:31:f9:1b:37:7e:56:df:
         49:c2:ef:b8:7c:f1:c9:c9:ee:18:64:60:e5:3a:34:cf:2f:71:
         6e:fa:40:3c:db:91:85:62:45:74:e9:31:c0:66:0e:eb:f2:c2:
         6d:83:f4:40:47:e0:6e:d0:29:67:3e:89:70:cb:1c:ee:aa:9f:
         8d:23:77:51


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux