Giter Club home page Giter Club logo

Comments (20)

bagder avatar bagder commented on May 26, 2024

mk-ca-bundle.pl (https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl) still outputs the same bundle though. I would say it might indicate a problem with the script...

from ca-bundle.

John-Nagle avatar John-Nagle commented on May 26, 2024

You're right. I tried running the script, too, and it matches your except for the timestamps. Try "https://www.verisign.com" against that file and Firefox. Firefox accepts the cert at that URL. That cert is in the "certdata.txt" file on Mozilla's site. The PEM file from here doesn't seem to have it. More tomorrow on this.

from ca-bundle.

John-Nagle avatar John-Nagle commented on May 26, 2024

I'm able to reproduce the problem using the openSSL command line client:

openssl s_client -connect www.verisign.com:443 -CAfile cacert.pem

fails with "verify error:num=20:unable to get local issuer certificate"

CONNECTED(00000150)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -  For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations  /CN=www.verisign.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

This seems to be Verisign-specific. These domains work:

 openssl s_client -connect google.com:443 -CAfile cacert.pem  
 openssl s_client -connect google.com:443 -CAfile cacert.pem

while "www.verisign.com" fails. But Firefox itself, which is supposedly using the same cert chain, will successfully connect to https://www.verisign.com/.

The necessary cert is "VeriSign Class 3 Public Primary Certification Authority - G5", and it's in the file with valid dates. But for some reason, it is being rejected. Any ideas?

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

d1vl1ofn2ptkx.cloudfront.net also fails.
But works with Debian's ca-cert's compiled .crt file which is generated here by a python script.
https://sources.debian.net/src/ca-certificates/20141019/mozilla/

from ca-bundle.

bagder avatar bagder commented on May 26, 2024

Really? It worked fine for me with bleeding edge curl built against either OpenSSL or GnuTLS when I tried d1vl1ofn2ptkx.cloudfront.net just now with the most recent converted ca-bundle.crt...

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

Do you mean this one in this repo from April?
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt
BTW I use wget 1.16.3 on Windows with OpenSSL 1.0.2a.

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

Just generated ca-bundle.crt with mk-ca-bundle.pl (on Linux)

perl mk-ca-bundle.pl
Warning: Use of this script may pose some risk, -d risk for more details.
SHA1 of old file: 0
Downloading 'certdata.txt' ...
Get certdata over HTTPS with curl!
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1674k  100 1674k    0     0   360k      0  0:00:04  0:00:04 --:--:--  414k
SHA1 of new file: ed3c0bbfb7912bcc00cd2033b0cb85c98d10559c
Processing  'certdata.txt' ...
Done (155 CA certs processed, 48 skipped).

C:\>wget.exe -S https://d1vl1ofn2ptkx.cloudfront.net --ca-certificate=ca-bundle.crt
--2015-10-05 09:37:07--  https://d1vl1ofn2ptkx.cloudfront.net/
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.240.162.214, 54.240.162.46, 54.240.162.247, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.240.162.214|:443... connected.
ERROR: cannot verify d1vl1ofn2ptkx.cloudfront.net's certificate, issued by 'CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to d1vl1ofn2ptkx.cloudfront.net insecurely, use `--no-check-certificate'.

Is your bundle's hash the same?

from ca-bundle.

bagder avatar bagder commented on May 26, 2024

That's the bundle I mean (sha1 starting with ed3c0bbfb7912). And my wget 1.16.3 on Linux (using GnuTLS) can also get that site just fine with that bundle! (and then it fails on a 403):

$ wget --ca-certificate=ca-bundle.crt https://d1vl1ofn2ptkx.cloudfront.net/
--2015-10-05 09:41:43--  https://d1vl1ofn2ptkx.cloudfront.net/
Loaded CA certificate 'ca-bundle.crt'
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.230.96.5, 205.251.219.58, 205.251.219.10, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.230.96.5|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-10-05 09:41:44 ERROR 403: Forbidden.

from ca-bundle.

bagder avatar bagder commented on May 26, 2024

Hm, my wget is using gnutls.

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

I've tried on Debian Linux and everything is the same as with yours.

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

CFLAGS+=--with-ssl=openssl
wget v1.13.4
openssl v1.0.1e

$ ./wget --ca-certificate=ca-bundle.crt https://d1vl1ofn2ptkx.cloudfront.net/
--2015-10-05 10:22:11--  https://d1vl1ofn2ptkx.cloudfront.net/
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.240.162.57, 54.240.162.21, 54.240.162.46, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.240.162.57|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-10-05 10:22:11 ERROR 403: Forbidden.

So it seems to be a Windows or OpenSSL 1.0.2a specific issue.
Windows binary from: https://eternallybored.org/misc/wget/

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

Got OpenSSL 1.0.2a for Windows from https://indy.fulgan.com/SSL/

C:\>openssl.exe s_client -CAfile ca-bundle.crt -connect d1vl1ofn2ptkx.cloudfront.net:443
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.cloudfront.net
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFETCCA/mgAwIBAgIQTD44rZK9KYstDxGMy94yTjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwOTAx
MDAwMDAwWhcNMTUxMjI4MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEZMBcGA1UEChQQQW1hem9uLmNv
bSwgSW5jLjEZMBcGA1UEAxQQKi5jbG91ZGZyb250Lm5ldDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMJ41U3vbv+VvVPFUhLyJXWTMLqfgIJ/HRY9ePiq
rXWOtdzdL4CidDz+TThyqPdgyjAnPDrfmYbO/aGhGeajx6KPgCPUlbTVXnVU7V+G
CVkwBPKs5aeWn7Qf2dj5BjJJjRpkRrmMQt265ynvuEmBPGfUbmHIGo3gk8aTgmS/
6Q23bV37Ms1PQXEOo650jFjkAyxTtHMrCL+bw8dwBDPCfQWJk45ad522kGoOBKzo
VuHHQItM0wjwCf3KHfV3amvIjjEi4y8avi1icWLsDrTGI3Co2sMABhOx3x/j2dQI
FBAWl7v7BjKDUyjAW3UInIM5nodu74MdfgnuR6b6r3D4e10CAwEAAaOCAWUwggFh
MBsGA1UdEQQUMBKCECouY2xvdWRmcm9udC5uZXQwCQYDVR0TBAIwADAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARa
MFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20v
Y3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1Ud
IwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMCsGA1UdHwQkMCIwIKAeoByGGmh0
dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEF
BQcwAYYTaHR0cDovL3NkLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3Nk
LnN5bWNiLmNvbS9zZC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAKbhU1LvJFZdD947
paghXyzrYVqw1zpIAIJPdHha8Vq2aFqoMwiDMT97eGlTcVzCD3HL/lTcsUUSuhPN
9U1HbpWmQDB6voAqv/2tzJu/i+0gEhVqKMA/ZCFYqLVWFBwoDcGvt8cwxxWp3W2t
RL2HDB7eoQ2/CoOntiA/GCHdvp05V+ZFkVQXE0BPr8clqynAfC4Xho41IqzJB62v
EhPOxldjXu6YVGR6wwS0OYYZay5xj6Aji+eGEcMzIcA7nLyT2c0aoYgPAOM88uxb
gF0kUx5RnmOfLhJ1aytTfEAz80+fUu4NecHcp6KgeWawcV+xFG8PK4vp9KgT84eT
J+Lw/zo=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.cloudfront.net
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4707 bytes and written 473 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 977A664610F7BB54F1AC13B1227DCD49F739803E55CF2AB3A8919E0E75FBA27C
    Session-ID-ctx:
    Master-Key: 33AEE9102FADAF1AE4512FD5738556191128BAD127CC93C950F084A4304FBB7890E1D2A886E0D55EC3C351D4C3678F34
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 10800 (seconds)
    TLS session ticket:
    0000 - fb fe cf 51 6e 8b 39 f0-18 ec 53 b5 3c ae b0 1b   ...Qn.9...S.<...
    0010 - 5e f3 96 39 e0 01 b0 bb-71 72 34 f7 1d 84 0d a5   ^..9....qr4.....
    0020 - 7a df a2 17 90 c3 8b 9f-97 9c 14 60 60 c8 04 08   z..........``...
    0030 - e9 ec c3 60 86 a7 8e 25-1c 6b 58 59 b4 68 d4 ac   ...`...%.kXY.h..
    0040 - d4 1b 5f 22 78 02 00 44-1f fd 07 4e ec ad 5e c5   .._"x..D...N..^.
    0050 - 8f 51 6a c5 5f 66 b2 9b-1a 2f c8 01 79 a0 ac 4b   .Qj._f.../..y..K
    0060 - 8c 4d 0b aa 70 dc c8 90-80 6a 2e fd 2a 16 ff e4   .M..p....j..*...
    0070 - e0 60 95 85 ea 64 b7 87-98 f7 33 8f 59 c2 cd b5   .`...d....3.Y...
    0080 - b3 02 fe a2 ba 46 6d 86-c3 22 0c 65 d8 13 2d 24   .....Fm..".e..-$
    0090 - 93 6a c1 dc 75 5f 0e e3-72 90 aa 7f 0f 1e 9d 43   .j..u_..r......C

    Start Time: 1444033791
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Maybe an OpenSSL 1.0.2a bug?? For example -connect github.com:443 returns Verify return code: 0 (ok)

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

Tried also with OpenSSL 1.0.1e on Windows, it also returns Verify return code: 20 (unable to get local issuer certificate) so it is a Windows problem.

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

For googlers, this is my solution for Windows:

:: Download deb package from https://packages.debian.org/stable/all/ca-certificates/download
7za e -t# "ca-certificates_*_all.deb" 4.xz
7za e "4.xz"
7za e -o.\bundle "4" .\usr\share\ca-certificates\mozilla\*.crt
type .\bundle\*.crt > C:/bin/utl/ca-certificates.crt

from ca-bundle.

bagder avatar bagder commented on May 26, 2024

it is a Windows problem.

It is good you narrowed it down to that, but man, that's still annoying and probably not completely trivial to nail down

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

I am sorry, I am no expert of certificates. I sounds fantastic to me that only VeriSign Class 3 G3 + Windows fails.

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

After picking that cert from your bundle and from the Debian package: They have the cert bits!
The only thing is the formatting: your lines are 76 characters long, Debian's are 64.
Could it be the cause?

from ca-bundle.

bagder avatar bagder commented on May 26, 2024

mk-ca-bundle.pl has a -w option that lets you set the wrap column. It so feels like it shouldn't have anything to do with it...

from ca-bundle.

szepeviktor avatar szepeviktor commented on May 26, 2024

It turned out that there are two different certs with the same name: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5

Both are here: https://gist.github.com/szepeviktor/5b6b473410b2a7915ab7
Diff: https://gist.github.com/szepeviktor/abc19f03573f174fec18/revisions?diff=split
*Note the subjects are not different

from ca-bundle.

John-Nagle avatar John-Nagle commented on May 26, 2024

This is the cross-signed certificates bug in OpenSSL. See

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640

from ca-bundle.

Related Issues (6)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.