2018年3月25日日曜日

プジョー206CCセンターパイプ補修

プジョー206CCのマフラー、サイレンサーとセンターパイプの接続部、センターパイプのフランジが錆びて裂けました。
クランプを外してディスクグラインダーでフランジを少し整えた状態。

反対側から。

センターパイプの外径は54mmくらいだった。単管パイプの外径は48.6mm。ちょうどはまるのではないかと思って、パイプカッターで適当な長さに切った。

なんとなくいい感じにはまった。サイレンサー側はちょっと太いようで隙間は大きめ。

アルミ缶を開いたものを巻きつけて、センターパイプ部分、単管部分、サイレンサー部分それぞれをバンドで締めた。まずまずの仕上がりと思う。

2018年3月24日土曜日

2018年3月18日日曜日

プジョー206CCマフラーセンターパイプの錆処理

センターパイプ。錆が気になっていた。
ディスクグラインダーは億劫で、ドリルドライバ+ワイヤーブラシでなんとかなるといいなあと思った。
やっぱり手ごわかったわ。ワイヤーブラシでは日が暮れるのでディスクグラインダーに交代した。
錆は溶接部に無限に続いていた。穴は開かないだろう、今回うまく処理できたら続きをまた今度やることにする。
耐熱ペイントコート、出がよくてちょっとでろでろになってまった。ま、見栄えは重要ではない。

2014年4月1日火曜日

CRL

IKB: 雑記帖さんの「opensslによるサーバー証明書失効リスト (CRL) 確認」という記事 http://d.hatena.ne.jp/i_k_b/20100112/1263293430 を元にして、自分で動作確認してみたメモ。 openssl s_clientを使って、www.twitter.comとhttps通信してみる。 このとき、-crl_check_allオプションをつけて、CRLの確認をさせる。

komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs -crl_check_all
CONNECTED(00000003)
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw
EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE
ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG
A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi
OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI
S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp
6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ
9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB
edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu
dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY
MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI
KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52
ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy
aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4
pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ
XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX
wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4
G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS
hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO
paE+/aedEG9QrMG8ONY=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3724 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4CEDB3FC5A820E37A63E8BB15FF99B8C59282EFFE60390E6FB0515E1B24FFCEE
    Session-ID-ctx:
    Master-Key: 505BC043E8F25CDFF38548BC126409B8893AD342B5705B03E6A6266F136B42736009969474542DD4C4364F382898BC1F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 129600 (seconds)
    TLS session ticket:
    0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a   .r....D.}....m..
    0010 - 23 32 ae ee 10 86 d8 28-0c 7e d1 dc 3a 0e 49 57   #2.....(.~..:.IW
    0020 - c7 0b fc 29 83 90 77 5f-a2 cf 15 d7 89 7d 3c 72   ...)..w_.....}'...SKP
    0050 - cc fb 0b 3a 37 f3 ad 79-e2 b5 dd a2 11 11 f1 6b   ...:7..y.......k
    0060 - 39 d0 61 bd b4 14 08 46-c0 1a f0 63 66 a9 98 5e   9.a....F...cf..^
    0070 - ca 80 5f cb 66 c9 9f b2-a0 e6 1f 7d 7f 8e 4f c6   .._.f......}..O.
    0080 - d8 2f 36 a9 f3 be dc 3e-b6 d2 17 f4 49 f7 5d a1   ./6....>....I.].
    0090 - 23 dd b3 55 f8 fb 46 0e-5e fc aa 3b 12 b3 55 53   #..U..F.^..;..US

    Start Time: 1396333799
    Timeout   : 300 (sec)
    Verify return code: 3 (unable to get certificate CRL)
---
DONE
Verify return code: 3 (unable to get certificate CRL)って言われてます。 -----BEGIN CERTIFICATE-----から -----END CERTIFICATE-----は、サーバ証明書。 証明書チェインを表示させるには-showcertsオプションをつけて 次のようにする。

komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -showcerts -CApath /usr/lib/ssl/certs -crl_check_all
CONNECTED(00000003)
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw
EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE
ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG
A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi
OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI
S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp
6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ
9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB
edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu
dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY
MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI
KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52
ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy
aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4
pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ
XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX
wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4
G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS
hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO
paE+/aedEG9QrMG8ONY=
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBujEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMrVmVy
aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjboFXrnP0XeeOabhQdsVuYI4cWbod2
nLU4O7WgerQHYwkZ5iqISKnnnbYwWgiXDOyq5BZpcmIjmvt6VCiYxQwtt9citsj5
OBfH3doxRpqUFI6e7nigtyLUSVSXTeV0W5K87Gws3+fBthsaVWtmCAN/Ra+aM/EQ
wGyZSpIkMQht3QI+YXZ4eLbtfjeubPOJ4bfh3BXMt1afgKCxBX9ONxX/ty8ejwY4
P1C3aSijtWZfNhpSSENmUt+ikk/TGGC+4+peGXEFv54cbGhyJW+ze3PJbb0S/5tB
Ml706H7FC6NMZNFOvCYIZfsZl1h44TO/7Wg+sSdFb8Di7Jdp91zT91ECAwEAAaOC
AdIwggHOMB0GA1UdDgQWBBT8ilC6nrklWntVhU+VAGOP6VhrQzASBgNVHRMBAf8E
CDAGAQH/AgEAMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB
/wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZ
MFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7
GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEUNsYXNzM0NBMjA0OC0xLTQ3MD0GCCsGAQUFBwEB
BDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9jc3AudmVyaXNpZ24u
Y29tMB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqGSIb3DQEB
BQUAA4IBAQCWovp/5j3t1CvOtxU/wHIDX4u6FpAl98KD2Md1NGNoElMMU4l7yVYJ
p8M2RE4O0GJis4b66KGbNGeNUyIXPv2s7mcuQ+JdfzOE8qJwwG6Cl8A0/SXGI3/t
5rDFV0OEst4t8dD2SB8UcVeyrDHhlyQjyRNddOVG7wl8nuGZMQoIeRuPcZ8XZsg4
z+6Ml7YGuXNG5NOUweVgtSV1LdlpMezNlsOjdv3odESsErlNv1HoudRETifLriDR
fip8tmNHnna6l9AW5wtsbfdDbzMLKTB3+p359U64drPNGLT5IO892+bKrZvQTtKH
qQ2mRHNQ3XBb7a1+Srwi1agm5MKFIA3Z
-----END CERTIFICATE-----
---
Server certificate
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3724 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F7233C40A536FF8BDB8D68FF46B476E91DC2B470B15C86FA453D315048E56DF5
    Session-ID-ctx:
    Master-Key: 703EF14EE55F2F7B20B41E14F96C5A50F3B660F9913D74A9863F0D95B60799BD0D00EB1CB7034615B3482031EC9187D5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 129600 (seconds)
    TLS session ticket:
    0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a   .r....D.}....m..
    0010 - 7f 94 fd 2f ca 8c 75 05-14 dc 72 d7 b2 88 11 0d   .../..u...r.....
    0020 - dd 69 56 12 c0 5e 1e c0-91 0b a1 55 52 6d d7 62   .iV..^.....URm.b
    0030 - cf a2 27 90 99 88 bb 36-d8 10 b7 77 2b 62 33 7d   ..'....6...w+b3}
    0040 - 93 4b de 56 52 d5 7b b2-aa 86 19 38 a9 18 19 78   .K.VR.{....8...x
    0050 - f9 22 a5 92 bd 25 74 b8-38 07 00 c3 84 1e 6c b4   ."...%t.8.....l.
    0060 - fa 13 69 d7 09 80 5d c7-3f ba 87 27 d8 ed a4 d3   ..i...].?..'....
    0070 - 3c ac e5 86 61 fd f9 11-a5 ae 02 49 99 20 50 53   <...a......I. PS
    0080 - 94 fe 87 b5 19 93 f0 36-cb 93 91 fe b5 cf c6 fb   .......6........
    0090 - 16 aa c5 68 b0 d4 4e a7-2e b3 4b 20 a0 3e 7b 9d   ...h..N...K .>{.

    Start Time: 1396337828
    Timeout   : 300 (sec)
    Verify return code: 3 (unable to get certificate CRL)
---
DONE

一つ目の証明書がtwitter.comのサーバー証明書ぽい。 テキストファイルtwitter_cerに切り出して、openssl x509で見てみる。
komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in twitter_cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            75:b5:2d:02:78:c8:ee:dc:73:72:e8:cb:93:c9:99:83
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
        Validity
            Not Before: Mar  5 00:00:00 2014 GMT
            Not After : May  9 23:59:59 2016 GMT
        Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446, C=US/postalCode=94103-1307, ST=California, L=San Francisco/street=1355 Market St, O=Twitter, Inc., OU=Twitter Security, CN=twitter.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:d9:f0:f6:8a:9d:c4:8b:03:d4:b5:1e:1c:de:
                    80:8f:73:0b:7b:ff:83:f1:5f:56:1a:fe:a4:76:fc:
                    cc:ab:be:6f:bc:bc:55:e0:67:36:79:7a:c2:43:d2:
                    4c:e2:3a:86:93:d4:9c:14:b2:64:f9:89:66:4b:9f:
                    00:58:03:14:db:77:77:fe:85:7a:d3:8a:3b:9f:59:
                    a9:df:6f:a3:1f:31:af:66:16:67:45:47:ae:38:07:
                    77:e2:88:d1:08:4b:b0:5a:73:63:22:ff:56:89:68:
                    9b:5f:82:84:85:2a:a1:4f:2d:1d:51:0e:93:1e:d0:
                    80:0b:d6:f6:92:ce:96:86:e1:b4:6c:ad:2b:d1:a1:
                    1e:0e:b1:8d:61:d4:d0:29:e8:96:e1:7b:b7:93:fc:
                    b8:84:33:ef:af:4b:24:b6:71:e9:9e:0a:c8:cf:15:
                    57:03:b0:46:55:ae:3b:c2:dd:a9:cf:c6:d9:f2:89:
                    fb:73:bc:13:88:df:3c:29:2c:90:50:f5:49:9f:c9:
                    09:6c:d9:e5:62:87:7d:56:98:f7:27:7d:7b:ba:ab:
                    36:76:25:12:6d:76:ca:67:ec:2a:30:50:e3:fa:a9:
                    60:d2:1c:60:59:fb:80:12:64:18:af:28:71:01:79:
                    da:c2:69:be:79:0d:ca:b6:54:6d:1a:44:4e:49:1e:
                    d4:db
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:www.twitter.com, DNS:twitter.com
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.6
                  CPS: https://www.verisign.com/cps

            X509v3 Subject Key Identifier:
                B9:DA:2A:48:87:7E:DF:32:E2:86:C0:23:FA:2B:6F:50:D1:E3:0B:13
            X509v3 Authority Key Identifier:
                keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl

            Authority Information Access:
                OCSP - URI:http://EVSecure-ocsp.verisign.com
                CA Issuers - URI:http://EVSecure-aia.verisign.com/EVSecure2006.cer

    Signature Algorithm: sha1WithRSAEncryption
         7b:b8:a4:29:ae:6c:a3:a8:bd:c6:29:16:de:88:2d:38:d3:9d:
         ca:c6:c5:dc:f3:10:ed:25:19:e6:98:3d:24:eb:64:cf:4c:fb:
         2a:b7:b7:e8:34:58:06:8c:f7:f6:f7:6a:26:c9:5d:55:e3:aa:
         f8:2e:fb:59:15:4e:31:1b:e7:6f:af:9a:5e:43:d9:f0:79:1f:
         0f:bf:47:3a:b1:11:cd:f3:41:b8:3f:4b:16:cc:88:c1:d0:0c:
         c0:6b:8b:cc:04:28:e8:d7:c1:c6:f9:9b:b1:d7:d5:0a:1a:db:
         42:94:7e:56:53:e8:c1:22:d7:83:65:e1:f3:19:01:35:d6:dc:
         19:2c:8c:46:9f:8b:6e:36:99:53:33:bb:16:35:93:e9:2e:99:
         bb:38:1b:78:28:b3:42:bd:cd:ca:85:0b:41:4e:9d:62:92:54:
         a4:df:eb:ee:7f:7b:cf:33:4d:d9:46:28:44:60:27:a1:b0:4f:
         2d:74:e0:af:0d:3e:32:3e:ba:9d:a4:5e:c7:52:84:41:48:5f:
         a6:f6:90:97:75:e4:a5:6f:2c:04:8a:13:85:31:cb:28:25:c3:
         23:12:98:bf:89:18:6b:ad:b0:a6:f9:03:b2:92:f7:3d:50:90:
         89:27:79:a6:bd:7b:00:ce:a5:a1:3e:fd:a7:9d:10:6f:50:ac:
         c1:bc:38:d6
なるほど、次のとおり。
  • Issuer: CN=VeriSign Class 3 Extended Validation SSL CA
  • Subject: CN=twitter.com
  • X509v3 CRL Distribution Points: URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl
二つ目の証明書をVeriSignEV_cerとして見てみる。
komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in VeriSignEV_cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5b:77:59:c6:17:84:e1:5e:c7:27:c0:32:95:29:28:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Nov  7 23:59:59 2016 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:db:a0:55:eb:9c:fd:17:79:e3:9a:6e:14:1d:
                    b1:5b:98:23:87:16:6e:87:76:9c:b5:38:3b:b5:a0:
                    7a:b4:07:63:09:19:e6:2a:88:48:a9:e7:9d:b6:30:
                    5a:08:97:0c:ec:aa:e4:16:69:72:62:23:9a:fb:7a:
                    54:28:98:c5:0c:2d:b7:d7:22:b6:c8:f9:38:17:c7:
                    dd:da:31:46:9a:94:14:8e:9e:ee:78:a0:b7:22:d4:
                    49:54:97:4d:e5:74:5b:92:bc:ec:6c:2c:df:e7:c1:
                    b6:1b:1a:55:6b:66:08:03:7f:45:af:9a:33:f1:10:
                    c0:6c:99:4a:92:24:31:08:6d:dd:02:3e:61:76:78:
                    78:b6:ed:7e:37:ae:6c:f3:89:e1:b7:e1:dc:15:cc:
                    b7:56:9f:80:a0:b1:05:7f:4e:37:15:ff:b7:2f:1e:
                    8f:06:38:3f:50:b7:69:28:a3:b5:66:5f:36:1a:52:
                    48:43:66:52:df:a2:92:4f:d3:18:60:be:e3:ea:5e:
                    19:71:05:bf:9e:1c:6c:68:72:25:6f:b3:7b:73:c9:
                    6d:bd:12:ff:9b:41:32:5e:f4:e8:7e:c5:0b:a3:4c:
                    64:d1:4e:bc:26:08:65:fb:19:97:58:78:e1:33:bf:
                    ed:68:3e:b1:27:45:6f:c0:e2:ec:97:69:f7:5c:d3:
                    f7:51
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: https://www.verisign.com/cps

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://EVSecure-crl.verisign.com/pca3-g5.crl

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL CA, S/MIME CA
            1.3.6.1.5.5.7.1.12:
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 Subject Alternative Name:
                DirName:/CN=Class3CA2048-1-47
            Authority Information Access:
                OCSP - URI:http://EVSecure-ocsp.verisign.com

            X509v3 Authority Key Identifier:
                keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

    Signature Algorithm: sha1WithRSAEncryption
         96:a2:fa:7f:e6:3d:ed:d4:2b:ce:b7:15:3f:c0:72:03:5f:8b:
         ba:16:90:25:f7:c2:83:d8:c7:75:34:63:68:12:53:0c:53:89:
         7b:c9:56:09:a7:c3:36:44:4e:0e:d0:62:62:b3:86:fa:e8:a1:
         9b:34:67:8d:53:22:17:3e:fd:ac:ee:67:2e:43:e2:5d:7f:33:
         84:f2:a2:70:c0:6e:82:97:c0:34:fd:25:c6:23:7f:ed:e6:b0:
         c5:57:43:84:b2:de:2d:f1:d0:f6:48:1f:14:71:57:b2:ac:31:
         e1:97:24:23:c9:13:5d:74:e5:46:ef:09:7c:9e:e1:99:31:0a:
         08:79:1b:8f:71:9f:17:66:c8:38:cf:ee:8c:97:b6:06:b9:73:
         46:e4:d3:94:c1:e5:60:b5:25:75:2d:d9:69:31:ec:cd:96:c3:
         a3:76:fd:e8:74:44:ac:12:b9:4d:bf:51:e8:b9:d4:44:4e:27:
         cb:ae:20:d1:7e:2a:7c:b6:63:47:9e:76:ba:97:d0:16:e7:0b:
         6c:6d:f7:43:6f:33:0b:29:30:77:fa:9d:f9:f5:4e:b8:76:b3:
         cd:18:b4:f9:20:ef:3d:db:e6:ca:ad:9b:d0:4e:d2:87:a9:0d:
         a6:44:73:50:dd:70:5b:ed:ad:7e:4a:bc:22:d5:a8:26:e4:c2:
         85:20:0d:d9
ふむ。次のとおり。
  • Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5
  • Subject: CN=VeriSign Class 3 Extended Validation SSL CA
  • X509v3 CRL Distribution Points: URI:http://EVSecure-crl.verisign.com/pca3-g5.crl
これは VeriSign Class 3 Public Primary Certification Authority - G5 が発行しているもの(Issuerを見る)。証明書チェインのこの先はルート証明書ですね。 今回の話題(CRLの確認)とは関係ないけど、ついでで探してみる。 このPCが持っているルート証明書は /usr/lib/ssl/certs にあるので、それっぽいのを探す。
komatsu@wheezy32:~/crl/twitter$ ls /usr/lib/ssl/certs/*eri*
/usr/lib/ssl/certs/America_Online_Root_Certification_Authority_1.pem
/usr/lib/ssl/certs/America_Online_Root_Certification_Authority_2.pem
/usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/lib/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem
/usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem
/usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem
/usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
/usr/lib/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem
/usr/lib/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
/usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
/usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
/usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
/usr/lib/ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
/usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem ですねきっと。openssl x509で見てみる。
komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in /usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Jul 16 23:59:59 2036 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
                    4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
                    08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
                    2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
                    8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
                    a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
                    54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
                    d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
                    7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
                    bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
                    f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
                    ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
                    f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
                    21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
                    63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
                    ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
                    9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
                    25:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            1.3.6.1.5.5.7.1.12:
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 Subject Key Identifier:
                7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
    Signature Algorithm: sha1WithRSAEncryption
         93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
         f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
         e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
         47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
         d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
         cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
         25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
         82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
         86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
         0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
         32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
         8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
         0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
         3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
         a8:ed:63:6a
さて、Verify return code: 3 (unable to get certificate CRL)といわれていたのをなんとかする。 サーバー証明書のCRLはhttp://EVSecure-crl.verisign.com/EVSecure2006.crlにあると言っていた。 CA証明書のCRLはhttp://EVSecure-crl.verisign.com/pca3-g5.crlにあると言っていた。 先回りしますが、CRLはDER形式なので、この後の操作例ではそれを前提にしています。
komatsu@wheezy32:~/crl/twitter$ curl -O http://EVSecure-crl.verisign.com/EVSecure2006.crl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 78495  100 78495    0     0  90680      0 --:--:-- --:--:-- --:--:--  125k
komatsu@wheezy32:~/crl/twitter$ curl -O http://EVSecure-crl.verisign.com/pca3-g5.crl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   533  100   533    0     0   1868      0 --:--:-- --:--:-- --:--:--  4230
komatsu@wheezy32:~/crl/twitter$ openssl crl -inform der -in EVSecure2006.crl > EVSecure2006_crl.pem
komatsu@wheezy32:~/crl/twitter$ openssl crl -inform der -in pca3-g5.crl > pca3-g5_crl.pem
komatsu@wheezy32:~/crl/twitter$ c_rehash ./
Doing ./
EVSecure2006_crl.pem => 6e7f22c1.r0
pca3-g5_crl.pem => b204d74a.r0
先にDERからPEMに変換していたのは、c_rehashする必要があるため。 EVSecure2006_crl.pemの中身を表示してみる。 すげーたくさんあるので途中省略。
komatsu@wheezy32:~/crl/twitter$ openssl crl -text -noout -in EVSecure2006_crl.pem
Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
        Last Update: Apr  1 09:00:13 2014 GMT
        Next Update: Apr  8 09:00:13 2014 GMT
Revoked Certificates:
    Serial Number: 01039B9A531A83BF3D5B72D4D93353C6
        Revocation Date: Oct 17 15:18:35 2013 GMT
    Serial Number: 011560DAEC2AD07BB6BA5A4E086C5368
        Revocation Date: Feb 22 16:52:48 2013 GMT
    Serial Number: 01383C60E00837685363D186FBEA08E0
        Revocation Date: Jul  2 20:56:41 2013 GMT
すげーたくさんあるので省略
    Serial Number: 7FDFD55D5CA39ECD5519CA17E6B7C385
        Revocation Date: Dec  8 13:02:58 2013 GMT
    Serial Number: 7FE9E380635C61EE122DA06B4A516C1C
        Revocation Date: Jul  3 01:04:18 2013 GMT
    Signature Algorithm: sha1WithRSAEncryption
         09:7e:ac:8d:51:7d:f7:d6:99:0d:9d:38:0a:60:cb:c2:f0:2a:
         81:10:8d:24:57:9b:f6:73:a1:99:f3:ee:49:7c:0c:09:bc:ae:
         d6:e5:0a:bc:d1:8a:f6:29:b3:ca:53:7b:a1:98:d1:48:69:72:
         2c:65:f8:0b:c3:0d:c3:2d:a8:e0:3f:bc:bc:4c:2e:72:1d:e0:
         b0:50:a7:69:c4:cb:70:c3:f8:9b:bc:4e:73:f8:34:9b:54:66:
         81:40:94:7e:d8:b4:18:cc:3e:49:83:7d:77:04:24:5c:d5:76:
         cb:5d:f4:de:1c:ae:a4:27:bd:d2:0e:fe:6d:9e:ad:42:1b:11:
         54:c1:54:b1:a9:e2:30:21:ef:02:f9:30:00:44:77:b1:13:c8:
         ed:9e:19:cf:d7:00:4f:41:08:28:5e:d5:26:39:a5:43:f4:a4:
         28:eb:70:69:1d:eb:d1:c7:15:fc:a3:5e:27:24:89:bb:bb:7c:
         ee:4d:5f:27:12:1b:1a:01:c3:80:05:e2:d2:10:b3:74:e0:40:
         a3:de:14:46:46:0c:6f:45:72:1b:7e:76:83:77:d5:c2:80:f1:
         75:27:cb:23:80:d2:c7:b8:b0:2a:10:19:f4:43:6a:73:05:06:
         5f:6a:d6:4a:dd:b6:6e:4a:50:5f:9a:24:6b:53:c2:f2:49:cf:
         86:a0:e4:69
pca3-g5_crl.pemの中身を表示してみる。 こっちは実は取り消している証明書はない。
komatsu@wheezy32:~/crl/twitter$ openssl crl -text -noout -in pca3-g5_crl.pem
Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Last Update: Mar 20 00:00:00 2014 GMT
        Next Update: Jun 30 23:59:59 2014 GMT
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
         7d:17:bf:fb:61:c0:44:5b:f3:f2:38:e3:c0:69:19:fe:f4:c0:
         e8:67:38:d2:dc:53:89:c8:74:74:8a:2e:61:be:65:ca:42:5d:
         e2:a8:76:bc:6c:39:1c:6d:90:c3:00:00:bb:7e:80:47:28:6c:
         92:1d:84:47:80:a4:23:7a:7b:fa:f8:f5:5a:61:90:ba:46:e3:
         71:88:1e:9c:fa:32:5e:58:1e:a8:77:d3:69:27:0e:26:0c:f1:
         6e:ba:92:e0:34:76:38:ab:2b:26:7c:2f:59:c6:42:fb:17:25:
         1c:bc:4a:f8:ab:67:30:ca:22:6b:1f:30:0c:cb:b2:da:41:9b:
         e5:37:9c:29:68:c1:05:15:3d:35:a1:e9:f9:cb:27:5a:a0:7f:
         d1:9a:14:dc:90:19:79:b5:59:65:d4:b8:04:85:a1:9e:c6:4d:
         d5:13:5f:35:ff:39:13:e2:42:e3:2a:aa:f0:2b:8f:34:7a:40:
         e6:37:23:b3:89:f0:ba:ec:86:2b:55:4c:db:46:89:16:85:fd:
         89:f3:69:44:67:16:df:36:ef:b7:d4:27:7a:24:89:45:de:45:
         08:b2:2a:ec:17:67:9a:0b:ef:32:a5:40:44:e1:c9:a1:9d:df:
         26:76:d7:90:ea:6f:85:a6:3e:87:ce:6b:31:4e:f4:93:07:50:
         8f:e3:02:69

カレントディレクトリに手動でCRLを取ってきてc_rehashして扱えるようにしたので、 openssl s_client-CApathオプションにカレントディレクトリを加えて、再度通信してみる。
komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check_all
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw
EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE
ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG
A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi
OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI
S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp
6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ
9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB
edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu
dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY
MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI
KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52
ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy
aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4
pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ
XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX
wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4
G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS
hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO
paE+/aedEG9QrMG8ONY=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3724 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7672190CF526687DAA3BC38E0A400D629DB857E5091F9DF27375DC11CBEC0D88
    Session-ID-ctx:
    Master-Key: BABD0EE8AC430A68C527FB0296ECB12793918042191DDCE754600FA893F23D1867953890DADEE5A8A6FE1192957E7C45
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 129600 (seconds)
    TLS session ticket:
    0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a   .r....D.}....m..
    0010 - 61 5b 6f 00 8e 35 0c b2-36 ba c7 b6 27 63 c5 ff   a[o..5..6...'c..
    0020 - 8a 6a c4 57 d4 7d 63 b7-81 f0 87 23 4e 83 47 95   .j.W.}c....#N.G.
    0030 - a5 2a 47 12 e4 40 72 e9-a7 2b f5 d4 c2 c8 78 99   .*G..@r..+....x.
    0040 - ef 59 5c 33 f8 1f 53 01-d4 77 2b 62 96 3f 87 e2   .Y\3..S..w+b.?..
    0050 - 62 89 c3 00 67 df 4a 55-fb 26 47 5e 59 3a 70 98   b...g.JU.&G^Y:p.
    0060 - e5 7f 49 5e 2d 5f 13 18-1c 27 84 0f 2a 72 12 83   ..I^-_...'..*r..
    0070 - b1 2c 0f 71 1f e6 98 53-ff 9f 73 80 11 66 a0 39   .,.q...S..s..f.9
    0080 - a3 48 a1 42 39 29 35 ea-f0 7c c6 d9 f4 a7 6e cb   .H.B9)5..|....n.
    0090 - 6d 51 7e 7d 6c 5d aa 28-9f 08 1c c1 53 81 c6 91   mQ~}l].(....S...

    Start Time: 1396344874
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
めでたくVerify return code: 0 (ok)になりました。 ちなみに、CRLの確認オプションには -crl_check-crl_chek_allの2種類があります。 前者はサーバー証明書のCRLチェックのみ、 後者は証明書チェインすべてでチェック、のようです。 以下は、サーバー証明書のCRLであるEVSecure2006_crl.pemを無効にして-crl_checkしてみた例。 Verify return code: 3 (unable to get certificate CRL)になっています。
komatsu@wheezy32:~/crl/twitter$ mv EVSecure2006_crl.pem EVSecure2006_crl.pem_
komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check
CONNECTED(00000003)
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw
EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE
ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG
A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi
OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI
S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp
6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ
9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB
edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu
dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY
MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI
KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52
ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy
aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4
pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ
XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX
wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4
G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS
hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO
paE+/aedEG9QrMG8ONY=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3724 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7DDB78C18E9C8FDEF7448A149436FF2654868A31BA2EE7983AD4FF99FD4AD7EE
    Session-ID-ctx:
    Master-Key: A02C88C19E43F1A6E9948B6A9BBBB916B26EB7F60EC82757EBC09A51FA220EADF9BF8281B358DE694186B17C67F97358
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 129600 (seconds)
    TLS session ticket:
    0000 - 1c f6 db 5c 8e 1b 2e 52-ce f7 63 42 10 d1 b5 8a   ...\...R..cB....
    0010 - a5 3b d9 09 f3 69 3c 8f-4e 2a 09 df 34 53 7d 0d   .;...i<.N*..4S}.
    0020 - f4 fc 60 c4 1b 00 22 17-80 53 fb b0 76 9d 94 43   ..`..."..S..v..C
    0030 - 85 4d f1 f2 dd a0 08 e0-b8 b6 10 8b 8c 15 dd 52   .M.............R
    0040 - 0c 55 a3 38 8f 5d a1 de-14 f2 73 61 09 06 8e 1e   .U.8.]....sa....
    0050 - 96 92 c6 c2 26 45 1b dd-67 38 14 8e be 8f 45 8e   ....&E..g8....E.
    0060 - df 5d 52 82 c5 fd 2e 87-5f f2 61 a5 7d 71 80 53   .]R....._.a.}q.S
    0070 - 09 b2 de d2 9c bb 21 a9-9f 12 10 69 d7 cf 43 5b   ......!....i..C[
    0080 - 85 f3 3e 45 bf a6 99 89-dd 49 10 94 47 1d ad 53   ..>E.....I..G..S
    0090 - 5f 84 72 6f f9 c5 fb 57-11 d8 0e bb b4 d1 88 ee   _.ro...W........

    Start Time: 1396350165
    Timeout   : 300 (sec)
    Verify return code: 3 (unable to get certificate CRL)
---
DONE
以下は、サーバー証明書のCRLであるEVSecure2006_crl.pemを有効、CA証明書のCRLであるpca3-g5_crl.pemを無効にして -crl_checkしてみた例。 Verify return code: 0 (ok)になっています。
komatsu@wheezy32:~/crl/twitter$ mv EVSecure2006_crl.pem_ EVSecure2006_crl.pem
komatsu@wheezy32:~/crl/twitter$ mv pca3-g5_crl.pem pca3-g5_crl.pem_
komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw
EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE
ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG
A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi
OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI
S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp
6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ
9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB
edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu
dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY
MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI
KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52
ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy
aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4
pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ
XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX
wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4
G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS
hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO
paE+/aedEG9QrMG8ONY=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3724 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F97C5CBE6B1C6CE351A556140C875B57743A6E21141D743616224620143A80A9
    Session-ID-ctx:
    Master-Key: 70147A48BBA5DDF30935658C428F611E2DE99DE2FE7A373B6EF6AACE9DDD47E9C531419280616C2F33250240A6C7F198
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 129600 (seconds)
    TLS session ticket:
    0000 - 1c f6 db 5c 8e 1b 2e 52-ce f7 63 42 10 d1 b5 8a   ...\...R..cB....
    0010 - 38 d7 76 95 ff 4f 3c 21-44 d9 04 ed 36 26 f5 61   8.v..O...O..J,.
    0080 - 70 8e 12 7f e7 a1 0c b5-90 46 3a cd 94 c1 cb f9   p........F:.....
    0090 - 20 33 4d dc d4 de 8b 69-7a 5c a0 14 11 8c 70 59    3M....iz\....pY

    Start Time: 1396350193
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

2014年3月26日水曜日

ngエディタ

Ng Support Page
http://tt.sakura.ne.jp/~amura/ng/
Windows用にはBorland C無償版でコンパイルできるのですね。
1.4.4をちょびっといじってみました。

  1. query-replaceのng-1.4.4-replace_bug.patchを適用した
  2. 画面バッファを500x300に広げた。でもそれ以下でも落ちることがある。原因不明
  3. drag&dropでforegroundにする
  4. "jump-to-define"で、etags -xで生成したタグファイルの行のパース&jump

Windows用のバイナリを同梱します。
ng-1_4_4_2014032600.zip