[gnutls-help] gnutls cert chain for tesco not being verified.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Dec 3 16:22:26 CET 2013 

On 12/03/2013 09:35 AM, David Hubner wrote:

> I am having a certificate chain issue. Going to the site 
> https://www.tescobank.com/sss/auth which gets the intermediate cert as well as 
> the site cert. We have the CA cert in the certificate store. 
> 
> It seems gnutls is not verifiying the cert chain and I cannot seem to find out 
> why. I am using gnutls 3.1.16. 

the certificate seems to validate for me (using gnutls 3.2.6) with
"gnutls-cli www.tescobank.com" -- can you show the full output of the
above command when you try with 3.1.16 ?

	--dkg


0 dkg at alice:~$ echo | gnutls-cli www.tescobank.com
Processed 156 CA certificate(s).
Resolving 'www.tescobank.com'...
Connecting to '178.17.64.12:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=GB,ST=Midlothian,L=Haymarket
Yards,jurisdictionOfIncorporationCountryName=GB,O=Tesco Personal Finance
PLC,businessCategory=Private
Organization,serialNumber=SC173199+CN=www.tescobank.com', issuer
`C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated by
reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification Authority
- L1E', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-01-15
13:49:50 UTC', expires `2015-01-15 15:04:14 UTC', SHA-1 fingerprint
`f10ba36343860643ffabbd78ce4bacc79572fab0'
	Public Key ID:
		0526e859a4c5614ae325df3bd26c260b51b826b1
	Public key's random art:
		+--[ RSA 2048]----+
		|    +=O.o        |
		|  .oo at o+ .       |
		|   +=+. . .      |
		|  E =. o o       |
		|   o. o S        |
		|     . * .       |
		|      .          |
		|                 |
		|                 |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated
by reference,OU=(c) 2006 Entrust\, Inc.,CN=Entrust Root Certification
Authority', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by
ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net
Secure Server Certification Authority', RSA key 2048 bits, signed using
RSA-SHA1, activated `2007-01-05 19:20:39 UTC', expires `2017-01-05
19:50:39 UTC', SHA-1 fingerprint `bee772b3190ac84bf831f9607d9889ec6a966c16'
- Certificate[2] info:
 - subject `C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated
by reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification
Authority - L1E', issuer `C=US,O=Entrust\, Inc.,OU=www.entrust.net/CPS
is incorporated by reference,OU=(c) 2006 Entrust\, Inc.,CN=Entrust Root
Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
activated `2009-12-10 20:55:43 UTC', expires `2019-12-10 21:25:43 UTC',
SHA-1 fingerprint `179a7696db4322813f1c9572b85033841dec020e'
- Status: The certificate is trusted.
- Description: (TLS1.0-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:00:01:64:58:52:9D:F9:67:00:00:00:00:57:1E:31:AC
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

0 dkg at alice:~$


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131203/dbeac24f/attachment.sig>

More information about the Gnutls-help mailing list