[Help-gnutls] gnutls fails to verify server sertificate while openssl works

Peter Volkov pva at gentoo.org
Fri Oct 3 13:45:23 CEST 2008


Hello.

I found issue that while openssl works, gnutls-cli returns:

*** Verifying server certificate failed...

I've tried with gnutls 2.2.5 and 2.5.4.

Commands I've used to test and their outputs are in attachment.

I think this issue is rather important problem as it requires manual
intervention during the first build of Metasploit package in Gentoo:

Error validating server certificate for 'https://metasploit.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: metasploit.com
 - Valid: from Sun, 01 Apr 2007 22:02:24 GMT until Thu, 01 Apr 2010 22:02:24 GMT
 - Issuer: 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, Inc., Scottsdale, Arizona, US
 - Fingerprint: 20:a7:2e:df:6d:53:10:6c:dc:2a:ca:33:fd:35:76:2c:0e:62:b1:4d
(R)eject, accept (t)emporarily or accept (p)ermanently?

Could you help me to find root issue? I have not attached ValiCert Class
2 certificate as I think it's installed on most systems. But if you need
that just ask me.

Thank you in advance.
-- 
Peter.
-------------- next part --------------
peter at camobap ~ $ /usr/bin/gnutls-cli -V --x509cafile /usr/share/ca-certificates/mozilla/ValiCert_Class_2_VA.crt metasploit.com > gnutls-cli.out
Processed 1 CA certificate(s).
Resolving 'metasploit.com'...
Connecting to '216.75.15.231:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'metasploit.com'.
 # valid since: Mon Apr  2 02:02:24 MSD 2007
 # expires at: Fri Apr  2 02:02:24 MSD 2010
 # serial number: 3F:C9:23
 # fingerprint: 80:7C:0A:A4:88:B8:53:D7:58:1D:66:3B:8C:16:9E:03
 # version: #3
 # public key algorithm: RSA (2048 bits)
 # e [24 bits]: 01:00:01
 # m [2048 bits]: AF:95:DD:5B:3C:33:EE:3C:0A:87:E3:CC:7E:4A:13:73:00:D4:29:9F:5E:1C:F6:BF:07:96:DF:1D:BB:4C:A8:59:07:16:CB:2F:15:4E:A6:76:C5:4F:17:DC:EA:00:F5:36:67:11:7C:14:72:46:E1:8D:72:59:30:9E:47:D0:67:86:1B:91:72:09:58:28:E8:BF:43:99:35:F6:13:34:E4:1B:0E:D7:59:3C:AF:6A:F7:88:7D:C0:75:10:3A:4A:57:97:59:3E:5D:EF:3E:81:5A:8B:8A:5A:9C:4B:58:A4:21:25:10:56:C2:81:61:AD:7C:15:A4:FF:3F:21:44:BF:4D:19:B1:EC:2D:7A:12:FA:0B:DA:17:0A:6F:35:1C:7D:92:FC:70:6E:F8:25:B5:4C:9D:D7:E4:BA:22:BE:CD:B8:69:1E:B9:77:3B:0A:16:11:B6:B6:7C:D4:C6:8C:74:46:0D:A2:C4:F5:2E:7B:CC:40:A1:31:AA:BA:E8:E6:CB:FD:1A:6B:AC:9E:4F:59:2C:C0:54:CB:9D:C4:CB:FC:62:F1:42:08:2D:6A:1F:6E:97:9D:29:61:05:91:2E:E4:CD:38:86:2C:8D:24:B7:DB:33:EC:D5:93:93:37:C4:64:0E:B7:42:98:45:8F:53:1A:F3:82:65:26:35:0C:CA:0E:F1:E3:56:9F
 # Subject's DN: O=metasploit.com,OU=Domain Control Validated,CN=metasploit.com
 # Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287

 - Certificate[1] info:
 # valid since: Tue Jun 29 21:06:20 MSD 2004
 # expires at: Sat Jun 29 21:06:20 MSD 2024
 # serial number: 01:0D
 # fingerprint: 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
 # version: #3
 # public key algorithm: RSA (2048 bits)
 # e [8 bits]: 03
 # m [2048 bits]: DE:9D:D7:EA:57:18:49:A1:5B:EB:D7:5F:48:86:EA:BE:DD:FF:E4:EF:67:1C:F4:65:68:B3:57:71:A0:5E:77:BB:ED:9B:49:E9:70:80:3D:56:18:63:08:6F:DA:F2:CC:D0:3F:7F:02:54:22:54:10:D8:B2:81:D4:C0:75:3D:4B:7F:C7:77:C3:3E:78:AB:1A:03:B5:20:6B:2F:6A:2B:B1:C5:88:7E:C4:BB:1E:B0:C1:D8:45:27:6F:AA:37:58:F7:87:26:D7:D8:2D:F6:A9:17:B7:1F:72:36:4E:A6:17:3F:65:98:92:DB:2A:6E:5D:A2:FE:88:E0:0B:DE:7F:E5:8D:15:E1:EB:CB:3A:D5:E2:12:A2:13:2D:D8:8E:AF:5F:12:3D:A0:08:05:08:B6:5C:A5:65:38:04:45:99:1E:A3:60:60:74:C5:41:A5:72:62:1B:62:C5:1F:6F:5F:1A:42:BE:02:51:65:A8:AE:23:18:6A:FC:78:03:A9:4D:7F:80:C3:FA:AB:5A:FC:A1:40:A4:CA:19:16:FE:B2:C8:EF:5E:73:0D:EE:77:BD:9A:F6:79:98:BC:B1:07:67:A2:15:0D:DD:A0:58:C6:44:7B:0A:3E:62:28:5F:BA:41:07:53:58:CF:11:7E:38:74:C5:F8:FF:B5:69:90:8F:84:74:EA:97:1B:AF
 # Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
 # Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com

 - Certificate[2] info:
 # valid since: Thu Nov 16 04:54:37 MSK 2006
 # expires at: Mon Nov 16 04:54:37 MSK 2026
 # serial number: 03:01
 # fingerprint: D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
 # version: #3
 # public key algorithm: RSA (2048 bits)
 # e [24 bits]: 01:00:01
 # m [2048 bits]: C4:2D:D5:15:8C:9C:26:4C:EC:32:35:EB:5F:B8:59:01:5A:A6:61:81:59:3B:70:63:AB:E3:DC:3D:C7:2A:B8:C9:33:D3:79:E4:3A:ED:3C:30:23:84:8E:B3:30:14:B6:B2:87:C3:3D:95:54:04:9E:DF:99:DD:0B:25:1E:21:DE:65:29:7E:35:A8:A9:54:EB:F6:F7:32:39:D4:26:55:95:AD:EF:FB:FE:58:86:D7:9E:F4:00:8D:8C:2A:0C:BD:42:04:CE:A7:3F:04:F6:EE:80:F2:AA:EF:52:A1:69:66:DA:BE:1A:AD:5D:DA:2C:66:EA:1A:6B:BB:E5:1A:51:4A:00:2F:48:C7:98:75:D8:B9:29:C8:EE:F8:66:6D:0A:9C:B3:F3:FC:78:7C:A2:F8:A3:F2:B5:C3:F3:B9:7A:91:C1:A7:E6:25:2E:9C:A8:ED:12:65:6E:6A:F6:12:44:53:70:30:95:C3:9C:2B:58:2B:3D:08:74:4A:F2:BE:51:B0:BF:87:D0:4C:27:58:6B:B5:35:C5:9D:AF:17:31:F8:0B:8F:EE:AD:81:36:05:89:08:98:CF:3A:AF:25:87:C0:49:EA:A7:FD:67:F7:45:8E:97:CC:14:39:E2:36:85:B5:7E:1A:37:FD:16:F6:71:11:9A:74:30:16:FE:13:94:A3:3F:84:0D:4F
 # Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
 # Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Session ID: 69:61:81:42:89:5B:BA:24:4F:12:0D:D9:F5:3E:B5:D1:87:EC:6E:43:4B:60:24:90:33:93:0A:0B:DA:90:3B:7D
*** Verifying server certificate failed...
-------------- next part --------------
peter at camobap ~ $ openssl s_client -CAfile /usr/share/ca-certificates/mozilla/ValiCert_Class_2_VA.crt -connect metasploit.com:443 > openssl.out 2>&1
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify return:1
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 /O=metasploit.com/OU=Domain Control Validated/CN=metasploit.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=metasploit.com/OU=Domain Control Validated/CN=metasploit.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdjCCBF6gAwIBAgIDP8kjMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE
ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzAe
Fw0wNzA0MDEyMjAyMjRaFw0xMDA0MDEyMjAyMjRaMFUxFzAVBgNVBAoTDm1ldGFz
cGxvaXQuY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFzAV
BgNVBAMTDm1ldGFzcGxvaXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAr5XdWzwz7jwKh+PMfkoTcwDUKZ9eHPa/B5bfHbtMqFkHFssvFU6mdsVP
F9zqAPU2ZxF8FHJG4Y1yWTCeR9BnhhuRcglYKOi/Q5k19hM05BsO11k8r2r3iH3A
dRA6SleXWT5d7z6BWouKWpxLWKQhJRBWwoFhrXwVpP8/IUS/TRmx7C16EvoL2hcK
bzUcfZL8cG74JbVMndfkuiK+zbhpHrl3OwoWEba2fNTGjHRGDaLE9S57zEChMaq6
6ObL/RprrJ5PWSzAVMudxMv8YvFCCC1qH26XnSlhBZEu5M04hiyNJLfbM+zVk5M3
xGQOt0KYRY9TGvOCZSY1DMoO8eNWnwIDAQABo4IB1zCCAdMwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFYGA1Ud
HwRPME0wS6BJoEeGRWh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVw
b3NpdG9yeS9nb2RhZGR5ZXh0ZW5kZWRpc3N1aW5nLmNybDBSBgNVHSAESzBJMEcG
C2CGSAGG/W0BBxcBMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeTB/BggrBgEFBQcBAQRzMHEwIwYIKwYBBQUH
MAGGF2h0dHA6Ly9vY3NwLmdvZGFkZHkuY29tMEoGCCsGAQUFBzAChj5odHRwOi8v
Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50ZXJtZWRp
YXRlLmNydDAdBgNVHQ4EFgQUOSJKMN4LQ0ObaKhRV6thG4ta1vIwHwYDVR0jBBgw
FoAU/axhMpNsRdbi7oVfmrrndplozOcwLQYDVR0RBCYwJIIObWV0YXNwbG9pdC5j
b22CEnd3dy5tZXRhc3Bsb2l0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAnFJumw5T
K3j3MBMtWTuU2gY9+kVZfzap99lK95OohqKcaFlmDnLz8K1JluT3L7K4JFa/SUIE
WQUkxa0QHZsl/t2hDOLyZtOh8BDU6Wx3Fkqf7ZSkB9OScOZPf3it4t847ZS2AASw
BetznjALeA8meoIBMdZxrAqV0NKuOm63YebW5sbxvuVPPpF9rS0MQI8m8EM4rwHQ
IFaT5UY+iAeWWjE0TPf7Wx8K9HV+k/Qlmb9pW5pYyUYSftuCmiBlFCHuMn+UDx9V
TwnMtYE5+Cdq2xAK4R5r1r8AxFJxINzus+2vxZxbqVyKVze3OH/3w1cGGsxVLtUY
EkHgdCQ0fcoHMQ==
-----END CERTIFICATE-----
subject=/O=metasploit.com/OU=Domain Control Validated/CN=metasploit.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 4629 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 6FCDA1DEA5A5FA20DEC001B9A56DA17138A6B2DFC837A431E65B9DDB9C397C94
    Session-ID-ctx: 
    Master-Key: 7A367CC0186F7FD30A27254E034105002B6683E1BEE945D968B0F48120F43B025F7EEC40DE3CBB9B77E411D38BD4F211
    Key-Arg   : None
    Start Time: 1223033494
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
GET /
closed


More information about the Gnutls-help mailing list