[gnutls-devel] GnuTLS | gnutls-cli: Support AIA (downloading intermeidate certs) (#968)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Fri Apr 3 18:07:31 CEST 2020
Tim Rühsen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/968
Some intermediate certs needs to be downloaded to verify the chain, see
https://savannah.gnu.org/bugs/?58097
https://discussions.qualys.com/thread/12098
Would be nice to have this GnuTLS or at least gnutls-cli.
```
$ gnutls-cli -V www.xocolatl.com 443
gnutls-cli 3.6.12
tim at ryzen:~/src/wget2$ gnutls-cli -V www.xocolatl.com 443
Processed 128 CA certificate(s).
Resolving 'www.xocolatl.com:443'...
Connecting to '116.202.171.177:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 03a081e7536daaa191406e66046a8cc59bfe
Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Validity:
Not Before: Mon Mar 02 14:50:14 UTC 2020
Not After: Sun May 31 14:50:14 UTC 2020
Subject: CN=chili.xocolatl.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:bd:15:47:f4:b4:c5:f5:ae:1e:cd:68:06:99:c6:e7
d3:33:6c:4d:18:36:56:f6:72:c8:08:f2:29:9c:06:88
f4:26:a6:82:d7:54:be:be:1c:4c:04:e0:6b:94:76:d0
b9:c9:99:8b:4c:70:91:89:93:a6:25:ec:b1:af:0a:9a
60:72:3c:6e:f9:fb:47:a1:62:75:62:ea:e4:00:fb:46
a4:f1:a4:db:e9:3a:5c:44:d6:9c:d3:26:d0:0d:22:67
82:a6:e4:4b:c6:b1:e4:2a:80:2a:3c:de:2d:1b:c1:a3
3c:ba:33:d4:57:23:d8:08:6e:81:99:66:e3:84:73:7a
13:fb:c0:c6:58:5f:4c:df:3a:38:a6:da:6f:ac:f0:d7
30:b8:00:34:95:b6:6c:4a:5c:2a:8f:a1:b8:62:b0:68
c6:1c:3a:8b:8e:5e:80:24:85:71:ee:da:ea:0b:70:fe
01:d7:72:48:3f:fc:e7:66:ca:56:5b:5d:7b:16:5e:8f
dd:f4:8a:b9:e9:24:03:c7:2f:b1:f0:fa:2f:96:d4:5f
3d:bc:8a:e5:8e:20:b4:ee:3e:27:2a:f7:7e:66:66:84
b7:3f:cc:41:23:3d:77:82:a3:cf:e2:31:5b:8c:47:ed
33:1a:9c:56:17:dc:9f:29:ac:b2:88:5e:73:17:cb:ea
e1
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (critical):
Digital signature.
Key encipherment.
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
d0fca29770368ad5e8b43841c0e9db19646ea92c
Authority Key Identifier (not critical):
a84a6a63047dddbae6d139b7a64565eff3a8eca1
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.int-x3.letsencrypt.org
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://cert.int-x3.letsencrypt.org/
Subject Alternative Name (not critical):
DNSname: chili.xocolatl.com
DNSname: www.xocolatl.com
DNSname: xocolatl.com
Certificate Policies (not critical):
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
URI: http://cps.letsencrypt.org
Unknown extension 1.3.6.1.4.1.11129.2.4.2 (not critical):
ASCII: ......w.^.s..V...6H}.I.2z.........u..qEX...p.........H0F.!..Q!F.....T at .6:$.=.y.......L...i..!...n....9..:_.w8_....e..S.(...P...v......... N.f.+..% gk..p..IS-...^...p.........G0E.!..K|J..x."w.$.......}.Y.C.xd.O..,. 0.9:r....c..x...Z,)..9.>...3....
Hexdump: 0481f300f10077005ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558000001709bf0cead0000040300483046022100a2512146cc919901025440d5363a24a53d02799b96b10bd0f8b84cd08a9969c7022100a6d86effb9fdee3919113a5f9877385fb985f4c965cd94531528d9828150efcc007600b21e05cc8ba2cd8a204e8766f92bb98a2520676bdafa70e7b249532def8b905e000001709bf0ce9e0000040300473045022100e24b7c4ab21b78d62277e924c68b85ffc1f48d7d0459df43fb7864964f0d042c022030bf393a72b8fabcb9639e8678c3a22e5a2c29ff1839d53e1ceead33fad4ada2
Signature Algorithm: RSA-SHA256
Signature:
2e:02:db:96:c9:e6:28:73:da:8b:c9:7a:42:00:81:2a
3d:e7:dc:e6:ff:76:f4:c8:e7:64:82:0a:84:49:6c:a9
ec:b5:33:2a:bb:a9:88:0f:1b:20:4c:ec:c1:f2:14:ae
61:26:b3:ca:e5:2d:f6:f2:36:a8:0a:1d:98:90:88:c8
55:c5:a3:33:05:fe:75:3a:23:ce:f1:9c:90:57:72:df
64:34:26:a2:86:73:7d:a1:44:8d:13:ca:fa:8e:e4:6f
36:58:01:f1:9c:73:da:51:e5:f8:b1:f6:f5:92:e5:ad
1f:3b:a6:fc:d5:ca:5d:2f:6d:14:f4:5d:f1:2c:ed:69
31:72:88:a9:15:a6:f5:a6:56:1f:4c:4b:9b:b7:04:26
92:9a:aa:37:93:0e:9e:5d:b5:21:0c:48:45:22:63:59
08:b2:4b:8b:8b:db:a4:e0:f6:3c:d0:f6:47:cd:18:ad
04:ff:4e:d8:89:7e:1a:c2:ad:4c:e2:54:b4:28:2e:fc
a1:7f:f6:e0:4b:e2:5d:8e:24:0a:ac:ce:3f:0a:dd:de
4d:dc:75:7e:28:10:4a:3d:41:0d:b9:66:8f:59:15:15
f8:50:dc:29:88:6f:26:cc:ff:d0:ec:2e:5a:9b:a8:43
25:d8:7a:41:5e:58:29:7e:c1:a1:87:17:12:68:cc:79
Other Information:
Fingerprint:
sha1:04e0297bf5bed2239302699b8acce8880bac3d3b
sha256:cc2270f59f27dea652e90a0451d235e37c9b7bf64d1712aaf8a9709351ba3721
Public Key ID:
sha1:6752bef04694d1fe2d0483c6ac18fcabfb690508
sha256:fcdedeb113ed0f8de4f04b9965420a31d9f0af5d3917c70e7f76560933fa1cf7
Public Key PIN:
pin-sha256:/N7esRPtD43k8EuZZUIKMdnwr105F8cOf3ZWCTP6HPc=
-----BEGIN CERTIFICATE-----
MIIFfTCCBGWgAwIBAgISA6CB51NtqqGRQG5mBGqMxZv+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAzMDIxNDUwMTRaFw0y
MDA1MzExNDUwMTRaMB0xGzAZBgNVBAMTEmNoaWxpLnhvY29sYXRsLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0VR/S0xfWuHs1oBpnG59MzbE0Y
Nlb2csgI8imcBoj0JqaC11S+vhxMBOBrlHbQucmZi0xwkYmTpiXssa8KmmByPG75
+0ehYnVi6uQA+0ak8aTb6TpcRNac0ybQDSJngqbkS8ax5CqAKjzeLRvBozy6M9RX
I9gIboGZZuOEc3oT+8DGWF9M3zo4ptpvrPDXMLgANJW2bEpcKo+huGKwaMYcOouO
XoAkhXHu2uoLcP4B13JIP/znZspWW117Fl6P3fSKuekkA8cvsfD6L5bUXz28iuWO
ILTuPicq935mZoS3P8xBIz13gqPP4jFbjEftMxqcVhfcnymssohecxfL6uECAwEA
AaOCAogwggKEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0Pyil3A2itXotDhBwOnb
GWRuqSwwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzA9BgNVHREENjA0ghJjaGlsaS54b2NvbGF0bC5jb22CEHd3dy54b2Nv
bGF0bC5jb22CDHhvY29sYXRsLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AF6nc/nfVsDntTZIfdBJ4DJ6
kZoMhKESEoQYdZaBcUVYAAABcJvwzq0AAAQDAEgwRgIhAKJRIUbMkZkBAlRA1TY6
JKU9AnmblrEL0Pi4TNCKmWnHAiEApthu/7n97jkZETpfmHc4X7mF9MllzZRTFSjZ
goFQ78wAdgCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAXCb8M6e
AAAEAwBHMEUCIQDiS3xKsht41iJ36STGi4X/wfSNfQRZ30P7eGSWTw0ELAIgML85
OnK4+ry5Y56GeMOiLlosKf8YOdU+HO6tM/rUraIwDQYJKoZIhvcNAQELBQADggEB
AC4C25bJ5ihz2ovJekIAgSo959zm/3b0yOdkggqESWyp7LUzKrupiA8bIEzswfIU
rmEms8rlLfbyNqgKHZiQiMhVxaMzBf51OiPO8ZyQV3LfZDQmooZzfaFEjRPK+o7k
bzZYAfGcc9pR5fix9vWS5a0fO6b81cpdL20U9F3xLO1pMXKIqRWm9aZWH0xLm7cE
JpKaqjeTDp5dtSEMSEUiY1kIskuLi9uk4PY80PZHzRitBP9O2Il+GsKtTOJUtCgu
/KF/9uBL4l2OJAqszj8K3d5N3HV+KBBKPUENuWaPWRUV+FDcKYhvJsz/0OwuWpuo
QyXYekFeWCl+waGHFxJozHk=
-----END CERTIFICATE-----
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/968
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200403/a894868c/attachment-0001.html>
More information about the Gnutls-devel
mailing list