Comments (20)
mk-ca-bundle.pl (https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl) still outputs the same bundle though. I would say it might indicate a problem with the script...
from ca-bundle.
You're right. I tried running the script, too, and it matches your except for the timestamps. Try "https://www.verisign.com" against that file and Firefox. Firefox accepts the cert at that URL. That cert is in the "certdata.txt" file on Mozilla's site. The PEM file from here doesn't seem to have it. More tomorrow on this.
from ca-bundle.
I'm able to reproduce the problem using the openSSL command line client:
openssl s_client -connect www.verisign.com:443 -CAfile cacert.pem
fails with "verify error:num=20:unable to get local issuer certificate"
CONNECTED(00000150)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations /CN=www.verisign.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
This seems to be Verisign-specific. These domains work:
openssl s_client -connect google.com:443 -CAfile cacert.pem
openssl s_client -connect google.com:443 -CAfile cacert.pem
while "www.verisign.com" fails. But Firefox itself, which is supposedly using the same cert chain, will successfully connect to https://www.verisign.com/.
The necessary cert is "VeriSign Class 3 Public Primary Certification Authority - G5", and it's in the file with valid dates. But for some reason, it is being rejected. Any ideas?
from ca-bundle.
d1vl1ofn2ptkx.cloudfront.net
also fails.
But works with Debian's ca-cert's compiled .crt file which is generated here by a python script.
https://sources.debian.net/src/ca-certificates/20141019/mozilla/
from ca-bundle.
Really? It worked fine for me with bleeding edge curl built against either OpenSSL or GnuTLS when I tried d1vl1ofn2ptkx.cloudfront.net
just now with the most recent converted ca-bundle.crt...
from ca-bundle.
Do you mean this one in this repo from April?
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt
BTW I use wget 1.16.3 on Windows with OpenSSL 1.0.2a.
from ca-bundle.
Just generated ca-bundle.crt with mk-ca-bundle.pl (on Linux)
perl mk-ca-bundle.pl
Warning: Use of this script may pose some risk, -d risk for more details.
SHA1 of old file: 0
Downloading 'certdata.txt' ...
Get certdata over HTTPS with curl!
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1674k 100 1674k 0 0 360k 0 0:00:04 0:00:04 --:--:-- 414k
SHA1 of new file: ed3c0bbfb7912bcc00cd2033b0cb85c98d10559c
Processing 'certdata.txt' ...
Done (155 CA certs processed, 48 skipped).
C:\>wget.exe -S https://d1vl1ofn2ptkx.cloudfront.net --ca-certificate=ca-bundle.crt
--2015-10-05 09:37:07-- https://d1vl1ofn2ptkx.cloudfront.net/
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.240.162.214, 54.240.162.46, 54.240.162.247, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.240.162.214|:443... connected.
ERROR: cannot verify d1vl1ofn2ptkx.cloudfront.net's certificate, issued by 'CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US':
Unable to locally verify the issuer's authority.
To connect to d1vl1ofn2ptkx.cloudfront.net insecurely, use `--no-check-certificate'.
Is your bundle's hash the same?
from ca-bundle.
That's the bundle I mean (sha1 starting with ed3c0bbfb7912
). And my wget 1.16.3 on Linux (using GnuTLS) can also get that site just fine with that bundle! (and then it fails on a 403):
$ wget --ca-certificate=ca-bundle.crt https://d1vl1ofn2ptkx.cloudfront.net/
--2015-10-05 09:41:43-- https://d1vl1ofn2ptkx.cloudfront.net/
Loaded CA certificate 'ca-bundle.crt'
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.230.96.5, 205.251.219.58, 205.251.219.10, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.230.96.5|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-10-05 09:41:44 ERROR 403: Forbidden.
from ca-bundle.
Hm, my wget is using gnutls.
from ca-bundle.
I've tried on Debian Linux and everything is the same as with yours.
from ca-bundle.
CFLAGS+=--with-ssl=openssl
wget v1.13.4
openssl v1.0.1e
$ ./wget --ca-certificate=ca-bundle.crt https://d1vl1ofn2ptkx.cloudfront.net/
--2015-10-05 10:22:11-- https://d1vl1ofn2ptkx.cloudfront.net/
Resolving d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)... 54.240.162.57, 54.240.162.21, 54.240.162.46, ...
Connecting to d1vl1ofn2ptkx.cloudfront.net (d1vl1ofn2ptkx.cloudfront.net)|54.240.162.57|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-10-05 10:22:11 ERROR 403: Forbidden.
So it seems to be a Windows or OpenSSL 1.0.2a specific issue.
Windows binary from: https://eternallybored.org/misc/wget/
from ca-bundle.
Got OpenSSL 1.0.2a for Windows from https://indy.fulgan.com/SSL/
C:\>openssl.exe s_client -CAfile ca-bundle.crt -connect d1vl1ofn2ptkx.cloudfront.net:443
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.cloudfront.net
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFETCCA/mgAwIBAgIQTD44rZK9KYstDxGMy94yTjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwOTAx
MDAwMDAwWhcNMTUxMjI4MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEZMBcGA1UEChQQQW1hem9uLmNv
bSwgSW5jLjEZMBcGA1UEAxQQKi5jbG91ZGZyb250Lm5ldDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMJ41U3vbv+VvVPFUhLyJXWTMLqfgIJ/HRY9ePiq
rXWOtdzdL4CidDz+TThyqPdgyjAnPDrfmYbO/aGhGeajx6KPgCPUlbTVXnVU7V+G
CVkwBPKs5aeWn7Qf2dj5BjJJjRpkRrmMQt265ynvuEmBPGfUbmHIGo3gk8aTgmS/
6Q23bV37Ms1PQXEOo650jFjkAyxTtHMrCL+bw8dwBDPCfQWJk45ad522kGoOBKzo
VuHHQItM0wjwCf3KHfV3amvIjjEi4y8avi1icWLsDrTGI3Co2sMABhOx3x/j2dQI
FBAWl7v7BjKDUyjAW3UInIM5nodu74MdfgnuR6b6r3D4e10CAwEAAaOCAWUwggFh
MBsGA1UdEQQUMBKCECouY2xvdWRmcm9udC5uZXQwCQYDVR0TBAIwADAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARa
MFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20v
Y3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1Ud
IwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMCsGA1UdHwQkMCIwIKAeoByGGmh0
dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEF
BQcwAYYTaHR0cDovL3NkLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3Nk
LnN5bWNiLmNvbS9zZC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAKbhU1LvJFZdD947
paghXyzrYVqw1zpIAIJPdHha8Vq2aFqoMwiDMT97eGlTcVzCD3HL/lTcsUUSuhPN
9U1HbpWmQDB6voAqv/2tzJu/i+0gEhVqKMA/ZCFYqLVWFBwoDcGvt8cwxxWp3W2t
RL2HDB7eoQ2/CoOntiA/GCHdvp05V+ZFkVQXE0BPr8clqynAfC4Xho41IqzJB62v
EhPOxldjXu6YVGR6wwS0OYYZay5xj6Aji+eGEcMzIcA7nLyT2c0aoYgPAOM88uxb
gF0kUx5RnmOfLhJ1aytTfEAz80+fUu4NecHcp6KgeWawcV+xFG8PK4vp9KgT84eT
J+Lw/zo=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.cloudfront.net
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4707 bytes and written 473 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 977A664610F7BB54F1AC13B1227DCD49F739803E55CF2AB3A8919E0E75FBA27C
Session-ID-ctx:
Master-Key: 33AEE9102FADAF1AE4512FD5738556191128BAD127CC93C950F084A4304FBB7890E1D2A886E0D55EC3C351D4C3678F34
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 10800 (seconds)
TLS session ticket:
0000 - fb fe cf 51 6e 8b 39 f0-18 ec 53 b5 3c ae b0 1b ...Qn.9...S.<...
0010 - 5e f3 96 39 e0 01 b0 bb-71 72 34 f7 1d 84 0d a5 ^..9....qr4.....
0020 - 7a df a2 17 90 c3 8b 9f-97 9c 14 60 60 c8 04 08 z..........``...
0030 - e9 ec c3 60 86 a7 8e 25-1c 6b 58 59 b4 68 d4 ac ...`...%.kXY.h..
0040 - d4 1b 5f 22 78 02 00 44-1f fd 07 4e ec ad 5e c5 .._"x..D...N..^.
0050 - 8f 51 6a c5 5f 66 b2 9b-1a 2f c8 01 79 a0 ac 4b .Qj._f.../..y..K
0060 - 8c 4d 0b aa 70 dc c8 90-80 6a 2e fd 2a 16 ff e4 .M..p....j..*...
0070 - e0 60 95 85 ea 64 b7 87-98 f7 33 8f 59 c2 cd b5 .`...d....3.Y...
0080 - b3 02 fe a2 ba 46 6d 86-c3 22 0c 65 d8 13 2d 24 .....Fm..".e..-$
0090 - 93 6a c1 dc 75 5f 0e e3-72 90 aa 7f 0f 1e 9d 43 .j..u_..r......C
Start Time: 1444033791
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Maybe an OpenSSL 1.0.2a bug?? For example -connect github.com:443 returns Verify return code: 0 (ok)
from ca-bundle.
Tried also with OpenSSL 1.0.1e on Windows, it also returns Verify return code: 20 (unable to get local issuer certificate)
so it is a Windows problem.
from ca-bundle.
For googlers, this is my solution for Windows:
:: Download deb package from https://packages.debian.org/stable/all/ca-certificates/download
7za e -t# "ca-certificates_*_all.deb" 4.xz
7za e "4.xz"
7za e -o.\bundle "4" .\usr\share\ca-certificates\mozilla\*.crt
type .\bundle\*.crt > C:/bin/utl/ca-certificates.crt
from ca-bundle.
it is a Windows problem.
It is good you narrowed it down to that, but man, that's still annoying and probably not completely trivial to nail down
from ca-bundle.
I am sorry, I am no expert of certificates. I sounds fantastic to me that only VeriSign Class 3 G3 + Windows fails.
from ca-bundle.
After picking that cert from your bundle and from the Debian package: They have the cert bits!
The only thing is the formatting: your lines are 76 characters long, Debian's are 64.
Could it be the cause?
from ca-bundle.
mk-ca-bundle.pl has a -w option that lets you set the wrap column. It so feels like it shouldn't have anything to do with it...
from ca-bundle.
It turned out that there are two different certs with the same name: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Both are here: https://gist.github.com/szepeviktor/5b6b473410b2a7915ab7
Diff: https://gist.github.com/szepeviktor/abc19f03573f174fec18/revisions?diff=split
*Note the subjects are not different
from ca-bundle.
This is the cross-signed certificates bug in OpenSSL. See
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640
from ca-bundle.
Related Issues (6)
- Feature request HOT 3
- sha1 of real file does not match that printing in the file HOT 3
- License out of date HOT 1
- cert file out of date HOT 2
- Repo does have a purpose HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ca-bundle.