On Mon, Dec 29, 2014 at 3:43 AM, Jeffrey Walton <noloader at gmail.com> wrote: > On Mon, Dec 29, 2014 at 3:32 AM, Jerry OELoo <oyljerry at gmail.com> wrote: >> Hi. >> I am using X509_STORE_CTX_get1_chain() to construct certificate chain >> base on local root ca store. Now it works fine. >> >> But when I access this website, https://www.sgetvous.societegenerale.fr/ >> I get a very strange result. >> >> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] >> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] >> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard >> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] >> >> as above, CN points to *.talkspirit.com, what's this? >> > > Use TLS with SNI rather than SSLv3. > My bad... Here's the SSLv3 try.... riemann::Desktop$ openssl s_client -ssl3 -connect www.sgetvous.societegenerale.fr:443 | openssl x509 -text -noout depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 Certificate: Data: Version: 3 (0x2) Serial Number: 6a:71:4e:18:43:1a:1a:fd:d6:cb:1a:f2:0b:bd:bc:21 Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA Validity Not Before: Aug 25 00:00:00 2014 GMT Not After : Sep 7 23:59:59 2016 GMT Subject: OU=Domain Control Validated, OU=Gandi Standard Wildcard SSL, CN=*.talkspirit.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:78:b4:36:77:fc:7b:a4:e7:05:54:24:e6:c3: a1:c8:53:9b:00:9e:70:65:81:85:0e:8c:60:f4:f6: 03:18:f3:14:c7:14:3b:e4:a8:d1:2e:fc:73:a7:49: 76:c5:27:e9:5b:6b:a4:56:07:0d:93:a1:27:0b:c5: d9:8e:bb:84:7b:c8:40:07:1c:29:88:f1:56:81:82: b6:ea:20:4a:cf:ca:3c:fd:85:0e:ac:bd:74:10:71: 7a:66:76:64:3c:0b:51:47:32:c6:c2:32:82:a9:79: 69:5e:12:47:34:50:5f:30:62:5d:24:0e:9d:63:45: c9:72:9e:75:07:b6:fe:0a:c6:e1:a4:10:a5:2a:57: 4c:0f:f2:79:c5:24:36:55:cc:e3:0c:32:b8:f4:61: 53:53:6f:75:dd:53:5a:2c:59:cf:b9:2a:2c:94:53: 8d:db:04:90:6d:bf:1b:2d:3f:35:aa:98:53:78:d6: a3:c4:d8:62:ad:80:da:8a:28:b9:e4:00:fa:2b:e3: f2:78:f8:5b:6f:71:9b:83:d1:84:98:ab:53:c5:73: 0e:4f:89:4d:9b:2f:0e:fb:ce:21:04:ed:32:08:6c: a5:33:13:81:2a:b3:63:94:ae:15:2b:e6:eb:27:30: 4b:0a:6f:8d:32:63:5a:db:8c:89:04:76:60:98:c2: 43:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21 X509v3 Subject Key Identifier: AE:E1:E7:5F:C0:7F:3B:09:70:02:82:A0:24:21:A9:56:16:0D:92:68 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.26 CPS: http://www.gandi.net/contracts/fr/ssl/cps/pdf/ Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.gandi.net/GandiStandardSSLCA.crl Authority Information Access: CA Issuers - URI:http://crt.gandi.net/GandiStandardSSLCA.crt OCSP - URI:http://ocsp.gandi.net X509v3 Subject Alternative Name: DNS:*.talkspirit.com, DNS:talkspirit.com Signature Algorithm: sha1WithRSAEncryption b5:8e:b6:8a:84:c3:c8:76:a9:48:37:60:ed:70:c9:33:91:fe: ee:1a:60:7b:68:71:71:30:e1:a1:cd:b9:4e:c2:36:b3:50:cf: d6:20:9f:a1:e0:4e:12:9c:89:19:6c:ce:9a:b4:18:7d:f1:ca: e0:d8:21:ac:b5:d4:51:b3:25:af:3d:6e:5e:29:65:6a:22:ac: ec:8a:cd:50:d0:28:12:ee:2c:6d:a9:e5:98:c1:d6:6d:05:8e: 9b:f2:38:7f:18:83:17:1f:35:b1:f9:66:6f:85:05:ca:32:39: d5:e0:6a:82:18:8b:3d:e7:b7:27:4f:8e:d2:b9:f4:da:69:2d: 1d:0b:7f:69:cf:e2:5d:4c:66:e8:59:c0:be:8b:c2:22:31:4d: 66:d7:e3:c0:a6:71:e6:d2:4b:fd:4b:00:f7:5c:b5:f1:9a:90: 80:72:ba:19:ef:0b:0f:e9:8f:b5:dc:29:d3:0c:ff:ee:04:92: 63:bd:93:de:98:72:f1:94:8d:22:6d:d7:c0:f4:0f:47:4f:7b: 8c:5d:12:ea:72:00:fe:6c:76:9c:5a:78:6c:93:b5:47:e2:4f: a9:9e:fc:33:f8:8d:a2:db:01:07:eb:55:12:9c:7e:97:02:26: 0a:0b:53:44:83:74:7c:8e:de:b7:87:d5:88:65:68:14:62:69: 31:91:4f:3e
