[Help-gnutls] Certificate verification failed

Dima Barsky dima at ac93.org
Wed Oct 26 22:31:53 CEST 2005 

Hello,

I have a small python application which uses pycurl to 
download my bank statements every week. I was using 
pycurl built with openssl until recently and the 
application worked fine. A few days ago I upgraded the 
pycurl and the libcurl packages (they are now built with GnuTLS 1.2.8)
and the application stopped working, it does not accept the bank's
certificate any more. This small script illustrates the problem:

#!/usr/bin/python 
import pycurl 
c = pycurl.Curl() 
c.setopt(c.URL, 'https://www2.net.hsbc.com/') 
c.setopt(c.VERBOSE, 1) 
c.perform() 

Here is the script's output:

    * About to connect() to www2.net.hsbc.com port 443
    *   Trying 205.241.15.110... * connected
    * Connected to www2.net.hsbc.com (205.241.15.110) port 443
    * found 99 certificates in /etc/ssl/certs/ca-certificates.crt
    * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
    * Closing connection #0
    Traceback (most recent call last):
      File "test.py", line 6, in ?
        c.perform()
    pycurl.error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt')

Initially I thought the problem was either in pycurl or libcurl.
However, when I tried to verify the site's certificate with gnutls-cli
it also failed:

$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt www2.net.hsbc.com
Processed 99 CA certificate(s).
Resolving 'www2.net.hsbc.com'...
Connecting to '205.241.15.110:443'...
- Certificate type: X.509
 - Got a certificate list of 3 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'www2.net.hsbc.com'.
 # valid since: Wed May  4 01:00:00 BST 2005
 # expires at: Fri May  5 00:59:59 BST 2006
 # serial number: 0A:C6:FC:D0:29:5D:8F:82:A3:4F:70:00:21:43:88:B2
 # fingerprint: 8C:42:11:CD:D1:AE:AB:9B:73:75:46:BB:C4:9C:D2:5E
 # version: #3
 # public key algorithm: RSA (1024 bits)
 # e [24 bits]: 01:00:01
 # m [1032 bits]: 00:BD:2A:31:5C:D6:59:F8:43:BC:A7:DB:B2:FB:06:9C:DA:30:91:F7:C2:CE:2C:86:94:14:FF:8E:C2:6F:88:E8:F5:A5:F8:11:40:CE:2D:F3:F2:12:BF:DB:A0:C8:06:85:1C:41:1F:EA:C0:7C:69:6A:A5:CD:37:74:74:4B:DE:19:CF:43:DA:96:E5:E3:5A:18:F1:4B:EA:CC:F7:42:93:82:8A:63:E8:8B:6C:7B:0B:08:6E:7D:EF:2C:E6:14:CB:02:C6:BE:3D:4C:EA:8D:AD:4E:EF:D4:D3:00:FA:2B:FD:0A:51:66:4B:AA:EE:7E:F1:D6:1E:A0:28:CF:60:CE:8E:83:8B
 # Subject's DN: C=US,ST=New Jersey,L=Jersey City,O=hsbc.com\, inc.,OU=ny02www2-2005,OU=Terms of use at www.verisign.com/rpa (c)00,CN=www2.net.hsbc.com
 # Issuer's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

 - Certificate[1] info:
 # valid since: Thu Apr 17 01:00:00 BST 1997
 # expires at: Tue Oct 25 00:59:59 BST 2011
 # serial number: 25:4B:8A:85:38:42:CC:E3:58:F8:C5:DD:AE:22:6E:A4
 # fingerprint: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
 # version: #3
 # public key algorithm: RSA (1024 bits)
 # e [24 bits]: 01:00:01
 # m [1032 bits]: 00:D8:82:80:E8:D6:19:02:7D:1F:85:18:39:25:A2:65:2B:E1:BF:D4:05:D3:BC:E6:36:3B:AA:F0:4C:6C:5B:B6:E7:AA:3C:73:45:55:B2:F1:BD:EA:97:42:ED:9A:34:0A:15:D4:A9:5C:F5:40:25:DD:D9:07:C1:32:B2:75:6C:C4:CA:BB:A3:FE:56:27:71:43:AA:63:F5:30:3E:93:28:E5:FA:F1:09:3B:F3:B7:4D:4E:39:F7:5C:49:5A:B8:C1:1D:D3:B2:8A:FE:70:30:95:42:CB:FE:2B:51:8B:5A:3C:3A:F9:22:4F:90:B2:02:A7:53:9C:4F:34:E7:AB:04:B2:7B:6F
 # Subject's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority

 - Certificate[2] info:
 # valid since: Mon Jan 29 00:00:00 GMT 1996
 # expires at: Wed Aug  2 00:59:59 BST 2028
 # serial number: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
 # fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # version: #1
 # public key algorithm: RSA (1024 bits)
 # e [24 bits]: 01:00:01
 # m [1032 bits]: 00:C9:5C:59:9E:F2:1B:8A:01:14:B4:10:DF:04:40:DB:E3:57:AF:6A:45:40:8F:84:0C:0B:D1:33:D9:D9:11:CF:EE:02:58:1F:25:F7:2A:A8:44:05:AA:EC:03:1F:78:7F:9E:93:B9:9A:00:AA:23:7D:D6:AC:85:A2:63:45:C7:72:27:CC:F4:4C:C6:75:71:D2:39:EF:4F:42:F0:75:DF:0A:90:C6:8E:20:6F:98:0F:F8:AC:23:5F:70:29:36:A4:C9:86:E7:B1:9A:20:CB:53:A5:85:E7:3D:BE:7D:9A:FE:24:45:33:DC:76:15:ED:0F:A2:71:64:4C:65:2E:81:68:45:A7
 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority


- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: MD5
- Compression: NULL
*** Verifying server certificate failed...


I don't see anything wrong with this certificate. Both mozilla-firefox
and openssl accept it without any problem. Is it a bug in gnutls, or
am I doing something wrong?

Regards,
Dima.

More information about the Gnutls-help mailing list