2018/03/27二川駅前梅田川沿い。
2018/03/28梅田川沿い。
openssl s_client
を使って、www.twitter.comとhttps通信してみる。
このとき、-crl_check_all
オプションをつけて、CRLの確認をさせる。
komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs -crl_check_all CONNECTED(00000003) depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify error:num=3:unable to get certificate CRL verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp 6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ 9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52 ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4 pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4 G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO paE+/aedEG9QrMG8ONY= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3724 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 4CEDB3FC5A820E37A63E8BB15FF99B8C59282EFFE60390E6FB0515E1B24FFCEE Session-ID-ctx: Master-Key: 505BC043E8F25CDFF38548BC126409B8893AD342B5705B03E6A6266F136B42736009969474542DD4C4364F382898BC1F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 129600 (seconds) TLS session ticket: 0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a .r....D.}....m.. 0010 - 23 32 ae ee 10 86 d8 28-0c 7e d1 dc 3a 0e 49 57 #2.....(.~..:.IW 0020 - c7 0b fc 29 83 90 77 5f-a2 cf 15 d7 89 7d 3c 72 ...)..w_.....}
'...SKP 0050 - cc fb 0b 3a 37 f3 ad 79-e2 b5 dd a2 11 11 f1 6b ...:7..y.......k 0060 - 39 d0 61 bd b4 14 08 46-c0 1a f0 63 66 a9 98 5e 9.a....F...cf..^ 0070 - ca 80 5f cb 66 c9 9f b2-a0 e6 1f 7d 7f 8e 4f c6 .._.f......}..O. 0080 - d8 2f 36 a9 f3 be dc 3e-b6 d2 17 f4 49 f7 5d a1 ./6....>....I.]. 0090 - 23 dd b3 55 f8 fb 46 0e-5e fc aa 3b 12 b3 55 53 #..U..F.^..;..US Start Time: 1396333799 Timeout : 300 (sec) Verify return code: 3 (unable to get certificate CRL) --- DONE
Verify return code: 3 (unable to get certificate CRL)
って言われてます。
-----BEGIN CERTIFICATE-----
から
-----END CERTIFICATE-----
は、サーバ証明書。
証明書チェインを表示させるには-showcerts
オプションをつけて
次のようにする。
一つ目の証明書がtwitter.comのサーバー証明書ぽい。 テキストファイルtwitter_cerに切り出して、komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -showcerts -CApath /usr/lib/ssl/certs -crl_check_all CONNECTED(00000003) depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify error:num=3:unable to get certificate CRL verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp 6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ 9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52 ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4 pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4 G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO paE+/aedEG9QrMG8ONY= -----END CERTIFICATE----- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBujEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMrVmVy aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjboFXrnP0XeeOabhQdsVuYI4cWbod2 nLU4O7WgerQHYwkZ5iqISKnnnbYwWgiXDOyq5BZpcmIjmvt6VCiYxQwtt9citsj5 OBfH3doxRpqUFI6e7nigtyLUSVSXTeV0W5K87Gws3+fBthsaVWtmCAN/Ra+aM/EQ wGyZSpIkMQht3QI+YXZ4eLbtfjeubPOJ4bfh3BXMt1afgKCxBX9ONxX/ty8ejwY4 P1C3aSijtWZfNhpSSENmUt+ikk/TGGC+4+peGXEFv54cbGhyJW+ze3PJbb0S/5tB Ml706H7FC6NMZNFOvCYIZfsZl1h44TO/7Wg+sSdFb8Di7Jdp91zT91ECAwEAAaOC AdIwggHOMB0GA1UdDgQWBBT8ilC6nrklWntVhU+VAGOP6VhrQzASBgNVHRMBAf8E CDAGAQH/AgEAMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRw czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB /wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZ MFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7 GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEUNsYXNzM0NBMjA0OC0xLTQ3MD0GCCsGAQUFBwEB BDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9jc3AudmVyaXNpZ24u Y29tMB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqGSIb3DQEB BQUAA4IBAQCWovp/5j3t1CvOtxU/wHIDX4u6FpAl98KD2Md1NGNoElMMU4l7yVYJ p8M2RE4O0GJis4b66KGbNGeNUyIXPv2s7mcuQ+JdfzOE8qJwwG6Cl8A0/SXGI3/t 5rDFV0OEst4t8dD2SB8UcVeyrDHhlyQjyRNddOVG7wl8nuGZMQoIeRuPcZ8XZsg4 z+6Ml7YGuXNG5NOUweVgtSV1LdlpMezNlsOjdv3odESsErlNv1HoudRETifLriDR fip8tmNHnna6l9AW5wtsbfdDbzMLKTB3+p359U64drPNGLT5IO892+bKrZvQTtKH qQ2mRHNQ3XBb7a1+Srwi1agm5MKFIA3Z -----END CERTIFICATE----- --- Server certificate subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3724 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: F7233C40A536FF8BDB8D68FF46B476E91DC2B470B15C86FA453D315048E56DF5 Session-ID-ctx: Master-Key: 703EF14EE55F2F7B20B41E14F96C5A50F3B660F9913D74A9863F0D95B60799BD0D00EB1CB7034615B3482031EC9187D5 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 129600 (seconds) TLS session ticket: 0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a .r....D.}....m.. 0010 - 7f 94 fd 2f ca 8c 75 05-14 dc 72 d7 b2 88 11 0d .../..u...r..... 0020 - dd 69 56 12 c0 5e 1e c0-91 0b a1 55 52 6d d7 62 .iV..^.....URm.b 0030 - cf a2 27 90 99 88 bb 36-d8 10 b7 77 2b 62 33 7d ..'....6...w+b3} 0040 - 93 4b de 56 52 d5 7b b2-aa 86 19 38 a9 18 19 78 .K.VR.{....8...x 0050 - f9 22 a5 92 bd 25 74 b8-38 07 00 c3 84 1e 6c b4 ."...%t.8.....l. 0060 - fa 13 69 d7 09 80 5d c7-3f ba 87 27 d8 ed a4 d3 ..i...].?..'.... 0070 - 3c ac e5 86 61 fd f9 11-a5 ae 02 49 99 20 50 53 <...a......I. PS 0080 - 94 fe 87 b5 19 93 f0 36-cb 93 91 fe b5 cf c6 fb .......6........ 0090 - 16 aa c5 68 b0 d4 4e a7-2e b3 4b 20 a0 3e 7b 9d ...h..N...K .>{. Start Time: 1396337828 Timeout : 300 (sec) Verify return code: 3 (unable to get certificate CRL) --- DONE
openssl x509
で見てみる。
なるほど、次のとおり。komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in twitter_cer Certificate: Data: Version: 3 (0x2) Serial Number: 75:b5:2d:02:78:c8:ee:dc:73:72:e8:cb:93:c9:99:83 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA Validity Not Before: Mar 5 00:00:00 2014 GMT Not After : May 9 23:59:59 2016 GMT Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446, C=US/postalCode=94103-1307, ST=California, L=San Francisco/street=1355 Market St, O=Twitter, Inc., OU=Twitter Security, CN=twitter.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:d9:f0:f6:8a:9d:c4:8b:03:d4:b5:1e:1c:de: 80:8f:73:0b:7b:ff:83:f1:5f:56:1a:fe:a4:76:fc: cc:ab:be:6f:bc:bc:55:e0:67:36:79:7a:c2:43:d2: 4c:e2:3a:86:93:d4:9c:14:b2:64:f9:89:66:4b:9f: 00:58:03:14:db:77:77:fe:85:7a:d3:8a:3b:9f:59: a9:df:6f:a3:1f:31:af:66:16:67:45:47:ae:38:07: 77:e2:88:d1:08:4b:b0:5a:73:63:22:ff:56:89:68: 9b:5f:82:84:85:2a:a1:4f:2d:1d:51:0e:93:1e:d0: 80:0b:d6:f6:92:ce:96:86:e1:b4:6c:ad:2b:d1:a1: 1e:0e:b1:8d:61:d4:d0:29:e8:96:e1:7b:b7:93:fc: b8:84:33:ef:af:4b:24:b6:71:e9:9e:0a:c8:cf:15: 57:03:b0:46:55:ae:3b:c2:dd:a9:cf:c6:d9:f2:89: fb:73:bc:13:88:df:3c:29:2c:90:50:f5:49:9f:c9: 09:6c:d9:e5:62:87:7d:56:98:f7:27:7d:7b:ba:ab: 36:76:25:12:6d:76:ca:67:ec:2a:30:50:e3:fa:a9: 60:d2:1c:60:59:fb:80:12:64:18:af:28:71:01:79: da:c2:69:be:79:0d:ca:b6:54:6d:1a:44:4e:49:1e: d4:db Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.twitter.com, DNS:twitter.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.6 CPS: https://www.verisign.com/cps X509v3 Subject Key Identifier: B9:DA:2A:48:87:7E:DF:32:E2:86:C0:23:FA:2B:6F:50:D1:E3:0B:13 X509v3 Authority Key Identifier: keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43 X509v3 CRL Distribution Points: Full Name: URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl Authority Information Access: OCSP - URI:http://EVSecure-ocsp.verisign.com CA Issuers - URI:http://EVSecure-aia.verisign.com/EVSecure2006.cer Signature Algorithm: sha1WithRSAEncryption 7b:b8:a4:29:ae:6c:a3:a8:bd:c6:29:16:de:88:2d:38:d3:9d: ca:c6:c5:dc:f3:10:ed:25:19:e6:98:3d:24:eb:64:cf:4c:fb: 2a:b7:b7:e8:34:58:06:8c:f7:f6:f7:6a:26:c9:5d:55:e3:aa: f8:2e:fb:59:15:4e:31:1b:e7:6f:af:9a:5e:43:d9:f0:79:1f: 0f:bf:47:3a:b1:11:cd:f3:41:b8:3f:4b:16:cc:88:c1:d0:0c: c0:6b:8b:cc:04:28:e8:d7:c1:c6:f9:9b:b1:d7:d5:0a:1a:db: 42:94:7e:56:53:e8:c1:22:d7:83:65:e1:f3:19:01:35:d6:dc: 19:2c:8c:46:9f:8b:6e:36:99:53:33:bb:16:35:93:e9:2e:99: bb:38:1b:78:28:b3:42:bd:cd:ca:85:0b:41:4e:9d:62:92:54: a4:df:eb:ee:7f:7b:cf:33:4d:d9:46:28:44:60:27:a1:b0:4f: 2d:74:e0:af:0d:3e:32:3e:ba:9d:a4:5e:c7:52:84:41:48:5f: a6:f6:90:97:75:e4:a5:6f:2c:04:8a:13:85:31:cb:28:25:c3: 23:12:98:bf:89:18:6b:ad:b0:a6:f9:03:b2:92:f7:3d:50:90: 89:27:79:a6:bd:7b:00:ce:a5:a1:3e:fd:a7:9d:10:6f:50:ac: c1:bc:38:d6
Issuer: CN=VeriSign Class 3 Extended Validation SSL CA
Subject: CN=twitter.com
X509v3 CRL Distribution Points: URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl
ふむ。次のとおり。komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in VeriSignEV_cer Certificate: Data: Version: 3 (0x2) Serial Number: 5b:77:59:c6:17:84:e1:5e:c7:27:c0:32:95:29:28:6b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Nov 7 23:59:59 2016 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:db:a0:55:eb:9c:fd:17:79:e3:9a:6e:14:1d: b1:5b:98:23:87:16:6e:87:76:9c:b5:38:3b:b5:a0: 7a:b4:07:63:09:19:e6:2a:88:48:a9:e7:9d:b6:30: 5a:08:97:0c:ec:aa:e4:16:69:72:62:23:9a:fb:7a: 54:28:98:c5:0c:2d:b7:d7:22:b6:c8:f9:38:17:c7: dd:da:31:46:9a:94:14:8e:9e:ee:78:a0:b7:22:d4: 49:54:97:4d:e5:74:5b:92:bc:ec:6c:2c:df:e7:c1: b6:1b:1a:55:6b:66:08:03:7f:45:af:9a:33:f1:10: c0:6c:99:4a:92:24:31:08:6d:dd:02:3e:61:76:78: 78:b6:ed:7e:37:ae:6c:f3:89:e1:b7:e1:dc:15:cc: b7:56:9f:80:a0:b1:05:7f:4e:37:15:ff:b7:2f:1e: 8f:06:38:3f:50:b7:69:28:a3:b5:66:5f:36:1a:52: 48:43:66:52:df:a2:92:4f:d3:18:60:be:e3:ea:5e: 19:71:05:bf:9e:1c:6c:68:72:25:6f:b3:7b:73:c9: 6d:bd:12:ff:9b:41:32:5e:f4:e8:7e:c5:0b:a3:4c: 64:d1:4e:bc:26:08:65:fb:19:97:58:78:e1:33:bf: ed:68:3e:b1:27:45:6f:c0:e2:ec:97:69:f7:5c:d3: f7:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.verisign.com/cps X509v3 CRL Distribution Points: Full Name: URI:http://EVSecure-crl.verisign.com/pca3-g5.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Alternative Name: DirName:/CN=Class3CA2048-1-47 Authority Information Access: OCSP - URI:http://EVSecure-ocsp.verisign.com X509v3 Authority Key Identifier: keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Signature Algorithm: sha1WithRSAEncryption 96:a2:fa:7f:e6:3d:ed:d4:2b:ce:b7:15:3f:c0:72:03:5f:8b: ba:16:90:25:f7:c2:83:d8:c7:75:34:63:68:12:53:0c:53:89: 7b:c9:56:09:a7:c3:36:44:4e:0e:d0:62:62:b3:86:fa:e8:a1: 9b:34:67:8d:53:22:17:3e:fd:ac:ee:67:2e:43:e2:5d:7f:33: 84:f2:a2:70:c0:6e:82:97:c0:34:fd:25:c6:23:7f:ed:e6:b0: c5:57:43:84:b2:de:2d:f1:d0:f6:48:1f:14:71:57:b2:ac:31: e1:97:24:23:c9:13:5d:74:e5:46:ef:09:7c:9e:e1:99:31:0a: 08:79:1b:8f:71:9f:17:66:c8:38:cf:ee:8c:97:b6:06:b9:73: 46:e4:d3:94:c1:e5:60:b5:25:75:2d:d9:69:31:ec:cd:96:c3: a3:76:fd:e8:74:44:ac:12:b9:4d:bf:51:e8:b9:d4:44:4e:27: cb:ae:20:d1:7e:2a:7c:b6:63:47:9e:76:ba:97:d0:16:e7:0b: 6c:6d:f7:43:6f:33:0b:29:30:77:fa:9d:f9:f5:4e:b8:76:b3: cd:18:b4:f9:20:ef:3d:db:e6:ca:ad:9b:d0:4e:d2:87:a9:0d: a6:44:73:50:dd:70:5b:ed:ad:7e:4a:bc:22:d5:a8:26:e4:c2: 85:20:0d:d9
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject: CN=VeriSign Class 3 Extended Validation SSL CA
X509v3 CRL Distribution Points: URI:http://EVSecure-crl.verisign.com/pca3-g5.crl
VeriSign Class 3 Public Primary Certification Authority - G5
が発行しているもの(Issuerを見る)。証明書チェインのこの先はルート証明書ですね。
今回の話題(CRLの確認)とは関係ないけど、ついでで探してみる。
このPCが持っているルート証明書は
/usr/lib/ssl/certs
にあるので、それっぽいのを探す。
komatsu@wheezy32:~/crl/twitter$ ls /usr/lib/ssl/certs/*eri* /usr/lib/ssl/certs/America_Online_Root_Certification_Authority_1.pem /usr/lib/ssl/certs/America_Online_Root_Certification_Authority_2.pem /usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem /usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem /usr/lib/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem /usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem /usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem /usr/lib/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem /usr/lib/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem /usr/lib/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem /usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem /usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem /usr/lib/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem /usr/lib/ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
/usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
ですねきっと。openssl x509
で見てみる。
さて、komatsu@wheezy32:~/crl/twitter$ openssl x509 -text -noout -in /usr/lib/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem Certificate: Data: Version: 3 (0x2) Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b: 4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57: 08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8: 2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe: 8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d: a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59: 54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49: d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69: 7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96: bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5: f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02: ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6: f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19: 21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d: 63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95: ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f: 9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8: 25:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Key Identifier: 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Signature Algorithm: sha1WithRSAEncryption 93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77: f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5: e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a: 47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e: d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9: cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd: 25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e: 82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd: 86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d: 0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05: 32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72: 8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f: 0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18: 3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6: a8:ed:63:6a
Verify return code: 3 (unable to get certificate CRL)
といわれていたのをなんとかする。
サーバー証明書のCRLはhttp://EVSecure-crl.verisign.com/EVSecure2006.crl
にあると言っていた。
CA証明書のCRLはhttp://EVSecure-crl.verisign.com/pca3-g5.crl
にあると言っていた。
先回りしますが、CRLはDER形式なので、この後の操作例ではそれを前提にしています。
komatsu@wheezy32:~/crl/twitter$ curl -O http://EVSecure-crl.verisign.com/EVSecure2006.crl % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 78495 100 78495 0 0 90680 0 --:--:-- --:--:-- --:--:-- 125k komatsu@wheezy32:~/crl/twitter$ curl -O http://EVSecure-crl.verisign.com/pca3-g5.crl % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 533 100 533 0 0 1868 0 --:--:-- --:--:-- --:--:-- 4230 komatsu@wheezy32:~/crl/twitter$ openssl crl -inform der -in EVSecure2006.crl > EVSecure2006_crl.pem komatsu@wheezy32:~/crl/twitter$ openssl crl -inform der -in pca3-g5.crl > pca3-g5_crl.pem
先にDERからPEMに変換していたのは、c_rehashする必要があるため。komatsu@wheezy32:~/crl/twitter$ c_rehash ./ Doing ./ EVSecure2006_crl.pem => 6e7f22c1.r0 pca3-g5_crl.pem => b204d74a.r0
EVSecure2006_crl.pem
の中身を表示してみる。
すげーたくさんあるので途中省略。
komatsu@wheezy32:~/crl/twitter$ openssl crl -text -noout -in EVSecure2006_crl.pem Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA Last Update: Apr 1 09:00:13 2014 GMT Next Update: Apr 8 09:00:13 2014 GMT Revoked Certificates: Serial Number: 01039B9A531A83BF3D5B72D4D93353C6 Revocation Date: Oct 17 15:18:35 2013 GMT Serial Number: 011560DAEC2AD07BB6BA5A4E086C5368 Revocation Date: Feb 22 16:52:48 2013 GMT Serial Number: 01383C60E00837685363D186FBEA08E0 Revocation Date: Jul 2 20:56:41 2013 GMTすげーたくさんあるので省略Serial Number: 7FDFD55D5CA39ECD5519CA17E6B7C385 Revocation Date: Dec 8 13:02:58 2013 GMT Serial Number: 7FE9E380635C61EE122DA06B4A516C1C Revocation Date: Jul 3 01:04:18 2013 GMT Signature Algorithm: sha1WithRSAEncryption 09:7e:ac:8d:51:7d:f7:d6:99:0d:9d:38:0a:60:cb:c2:f0:2a: 81:10:8d:24:57:9b:f6:73:a1:99:f3:ee:49:7c:0c:09:bc:ae: d6:e5:0a:bc:d1:8a:f6:29:b3:ca:53:7b:a1:98:d1:48:69:72: 2c:65:f8:0b:c3:0d:c3:2d:a8:e0:3f:bc:bc:4c:2e:72:1d:e0: b0:50:a7:69:c4:cb:70:c3:f8:9b:bc:4e:73:f8:34:9b:54:66: 81:40:94:7e:d8:b4:18:cc:3e:49:83:7d:77:04:24:5c:d5:76: cb:5d:f4:de:1c:ae:a4:27:bd:d2:0e:fe:6d:9e:ad:42:1b:11: 54:c1:54:b1:a9:e2:30:21:ef:02:f9:30:00:44:77:b1:13:c8: ed:9e:19:cf:d7:00:4f:41:08:28:5e:d5:26:39:a5:43:f4:a4: 28:eb:70:69:1d:eb:d1:c7:15:fc:a3:5e:27:24:89:bb:bb:7c: ee:4d:5f:27:12:1b:1a:01:c3:80:05:e2:d2:10:b3:74:e0:40: a3:de:14:46:46:0c:6f:45:72:1b:7e:76:83:77:d5:c2:80:f1: 75:27:cb:23:80:d2:c7:b8:b0:2a:10:19:f4:43:6a:73:05:06: 5f:6a:d6:4a:dd:b6:6e:4a:50:5f:9a:24:6b:53:c2:f2:49:cf: 86:a0:e4:69
pca3-g5_crl.pem
の中身を表示してみる。
こっちは実は取り消している証明書はない。
カレントディレクトリに手動でCRLを取ってきてkomatsu@wheezy32:~/crl/twitter$ openssl crl -text -noout -in pca3-g5_crl.pem Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Last Update: Mar 20 00:00:00 2014 GMT Next Update: Jun 30 23:59:59 2014 GMT No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption 7d:17:bf:fb:61:c0:44:5b:f3:f2:38:e3:c0:69:19:fe:f4:c0: e8:67:38:d2:dc:53:89:c8:74:74:8a:2e:61:be:65:ca:42:5d: e2:a8:76:bc:6c:39:1c:6d:90:c3:00:00:bb:7e:80:47:28:6c: 92:1d:84:47:80:a4:23:7a:7b:fa:f8:f5:5a:61:90:ba:46:e3: 71:88:1e:9c:fa:32:5e:58:1e:a8:77:d3:69:27:0e:26:0c:f1: 6e:ba:92:e0:34:76:38:ab:2b:26:7c:2f:59:c6:42:fb:17:25: 1c:bc:4a:f8:ab:67:30:ca:22:6b:1f:30:0c:cb:b2:da:41:9b: e5:37:9c:29:68:c1:05:15:3d:35:a1:e9:f9:cb:27:5a:a0:7f: d1:9a:14:dc:90:19:79:b5:59:65:d4:b8:04:85:a1:9e:c6:4d: d5:13:5f:35:ff:39:13:e2:42:e3:2a:aa:f0:2b:8f:34:7a:40: e6:37:23:b3:89:f0:ba:ec:86:2b:55:4c:db:46:89:16:85:fd: 89:f3:69:44:67:16:df:36:ef:b7:d4:27:7a:24:89:45:de:45: 08:b2:2a:ec:17:67:9a:0b:ef:32:a5:40:44:e1:c9:a1:9d:df: 26:76:d7:90:ea:6f:85:a6:3e:87:ce:6b:31:4e:f4:93:07:50: 8f:e3:02:69
c_rehash
して扱えるようにしたので、
openssl s_client
の-CApath
オプションにカレントディレクトリを加えて、再度通信してみる。
めでたくkomatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check_all CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp 6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ 9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52 ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4 pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4 G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO paE+/aedEG9QrMG8ONY= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3724 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 7672190CF526687DAA3BC38E0A400D629DB857E5091F9DF27375DC11CBEC0D88 Session-ID-ctx: Master-Key: BABD0EE8AC430A68C527FB0296ECB12793918042191DDCE754600FA893F23D1867953890DADEE5A8A6FE1192957E7C45 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 129600 (seconds) TLS session ticket: 0000 - a6 72 98 9f a2 93 44 9e-7d 0a e7 0a e8 6d cc 8a .r....D.}....m.. 0010 - 61 5b 6f 00 8e 35 0c b2-36 ba c7 b6 27 63 c5 ff a[o..5..6...'c.. 0020 - 8a 6a c4 57 d4 7d 63 b7-81 f0 87 23 4e 83 47 95 .j.W.}c....#N.G. 0030 - a5 2a 47 12 e4 40 72 e9-a7 2b f5 d4 c2 c8 78 99 .*G..@r..+....x. 0040 - ef 59 5c 33 f8 1f 53 01-d4 77 2b 62 96 3f 87 e2 .Y\3..S..w+b.?.. 0050 - 62 89 c3 00 67 df 4a 55-fb 26 47 5e 59 3a 70 98 b...g.JU.&G^Y:p. 0060 - e5 7f 49 5e 2d 5f 13 18-1c 27 84 0f 2a 72 12 83 ..I^-_...'..*r.. 0070 - b1 2c 0f 71 1f e6 98 53-ff 9f 73 80 11 66 a0 39 .,.q...S..s..f.9 0080 - a3 48 a1 42 39 29 35 ea-f0 7c c6 d9 f4 a7 6e cb .H.B9)5..|....n. 0090 - 6d 51 7e 7d 6c 5d aa 28-9f 08 1c c1 53 81 c6 91 mQ~}l].(....S... Start Time: 1396344874 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
Verify return code: 0 (ok)
になりました。
ちなみに、CRLの確認オプションには
-crl_check
と
-crl_chek_all
の2種類があります。
前者はサーバー証明書のCRLチェックのみ、
後者は証明書チェインすべてでチェック、のようです。
以下は、サーバー証明書のCRLであるEVSecure2006_crl.pemを無効にして-crl_check
してみた例。
Verify return code: 3 (unable to get certificate CRL)
になっています。
以下は、サーバー証明書のCRLであるEVSecure2006_crl.pemを有効、CA証明書のCRLであるpca3-g5_crl.pemを無効にしてkomatsu@wheezy32:~/crl/twitter$ mv EVSecure2006_crl.pem EVSecure2006_crl.pem_ komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check CONNECTED(00000003) depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify error:num=3:unable to get certificate CRL verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp 6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ 9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52 ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4 pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4 G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO paE+/aedEG9QrMG8ONY= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3724 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 7DDB78C18E9C8FDEF7448A149436FF2654868A31BA2EE7983AD4FF99FD4AD7EE Session-ID-ctx: Master-Key: A02C88C19E43F1A6E9948B6A9BBBB916B26EB7F60EC82757EBC09A51FA220EADF9BF8281B358DE694186B17C67F97358 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 129600 (seconds) TLS session ticket: 0000 - 1c f6 db 5c 8e 1b 2e 52-ce f7 63 42 10 d1 b5 8a ...\...R..cB.... 0010 - a5 3b d9 09 f3 69 3c 8f-4e 2a 09 df 34 53 7d 0d .;...i<.N*..4S}. 0020 - f4 fc 60 c4 1b 00 22 17-80 53 fb b0 76 9d 94 43 ..`..."..S..v..C 0030 - 85 4d f1 f2 dd a0 08 e0-b8 b6 10 8b 8c 15 dd 52 .M.............R 0040 - 0c 55 a3 38 8f 5d a1 de-14 f2 73 61 09 06 8e 1e .U.8.]....sa.... 0050 - 96 92 c6 c2 26 45 1b dd-67 38 14 8e be 8f 45 8e ....&E..g8....E. 0060 - df 5d 52 82 c5 fd 2e 87-5f f2 61 a5 7d 71 80 53 .]R....._.a.}q.S 0070 - 09 b2 de d2 9c bb 21 a9-9f 12 10 69 d7 cf 43 5b ......!....i..C[ 0080 - 85 f3 3e 45 bf a6 99 89-dd 49 10 94 47 1d ad 53 ..>E.....I..G..S 0090 - 5f 84 72 6f f9 c5 fb 57-11 d8 0e bb b4 d1 88 ee _.ro...W........ Start Time: 1396350165 Timeout : 300 (sec) Verify return code: 3 (unable to get certificate CRL) --- DONE
-crl_check
してみた例。
Verify return code: 0 (ok)
になっています。
komatsu@wheezy32:~/crl/twitter$ mv EVSecure2006_crl.pem_ EVSecure2006_crl.pem komatsu@wheezy32:~/crl/twitter$ mv pca3-g5_crl.pem pca3-g5_crl.pem_ komatsu@wheezy32:~/crl/twitter$ openssl s_client -connect www.twitter.com:443 -CApath /usr/lib/ssl/certs:. -crl_check CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94103-1307, ST = California, L = San Francisco, street = 1355 Market St, O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com verify return:1 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQdbUtAnjI7txzcujLk8mZgzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x NDAzMDUwMDAwMDBaFw0xNjA1MDkyMzU5NTlaMIIBEjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMRMw EQYDVQQRFAo5NDEwMy0xMzA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQJFA4xMzU1IE1hcmtldCBTdDEWMBQGA1UE ChQNVHdpdHRlciwgSW5jLjEZMBcGA1UECxQQVHdpdHRlciBTZWN1cml0eTEUMBIG A1UEAxQLdHdpdHRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC92fD2ip3EiwPUtR4c3oCPcwt7/4PxX1Ya/qR2/Myrvm+8vFXgZzZ5esJD0kzi OoaT1JwUsmT5iWZLnwBYAxTbd3f+hXrTijufWanfb6MfMa9mFmdFR644B3fiiNEI S7Bac2Mi/1aJaJtfgoSFKqFPLR1RDpMe0IAL1vaSzpaG4bRsrSvRoR4OsY1h1NAp 6Jbhe7eT/LiEM++vSyS2cemeCsjPFVcDsEZVrjvC3anPxtnyiftzvBOI3zwpLJBQ 9UmfyQls2eVih31WmPcnfXu6qzZ2JRJtdspn7CowUOP6qWDSHGBZ+4ASZBivKHEB edrCab55Dcq2VG0aRE5JHtTbAgMBAAGjggGvMIIBqzAnBgNVHREEIDAegg93d3cu dHdpdHRlci5jb22CC3R3aXR0ZXIuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwHQYDVR0OBBYEFLnaKkiHft8y4obAI/orb1DR4wsTMB8GA1UdIwQY MBaAFPyKULqeuSVae1WFT5UAY4/pWGtDMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6 Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jcmwwfAYI KwYBBQUHAQEEcDBuMC0GCCsGAQUFBzABhiFodHRwOi8vRVZTZWN1cmUtb2NzcC52 ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVy aXNpZ24uY29tL0VWU2VjdXJlMjAwNi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAHu4 pCmubKOovcYpFt6ILTjTncrGxdzzEO0lGeaYPSTrZM9M+yq3t+g0WAaM9/b3aibJ XVXjqvgu+1kVTjEb52+vml5D2fB5Hw+/RzqxEc3zQbg/SxbMiMHQDMBri8wEKOjX wcb5m7HX1Qoa20KUflZT6MEi14Nl4fMZATXW3BksjEafi242mVMzuxY1k+kumbs4 G3gos0K9zcqFC0FOnWKSVKTf6+5/e88zTdlGKERgJ6GwTy104K8NPjI+up2kXsdS hEFIX6b2kJd15KVvLASKE4UxyyglwyMSmL+JGGutsKb5A7KS9z1QkIkneaa9ewDO paE+/aedEG9QrMG8ONY= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94103-1307/ST=California/L=San Francisco/street=1355 Market St/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3724 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: F97C5CBE6B1C6CE351A556140C875B57743A6E21141D743616224620143A80A9 Session-ID-ctx: Master-Key: 70147A48BBA5DDF30935658C428F611E2DE99DE2FE7A373B6EF6AACE9DDD47E9C531419280616C2F33250240A6C7F198 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 129600 (seconds) TLS session ticket: 0000 - 1c f6 db 5c 8e 1b 2e 52-ce f7 63 42 10 d1 b5 8a ...\...R..cB.... 0010 - 38 d7 76 95 ff 4f 3c 21-44 d9 04 ed 36 26 f5 61 8.v..O...O..J,. 0080 - 70 8e 12 7f e7 a1 0c b5-90 46 3a cd 94 c1 cb f9 p........F:..... 0090 - 20 33 4d dc d4 de 8b 69-7a 5c a0 14 11 8c 70 59 3M....iz\....pY Start Time: 1396350193 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE