[gnutls-help] gnutls cert chain for tesco not being verified.

David Hubner david.hubner at smoothwall.net
Tue Dec 3 16:34:58 CET 2013


Hi, 

Output is at http://pastebin.com/zeEzaqA0

Thanks
-- 
David Hubner
Software Developer

david.hubner at smoothwall.net
Smoothwall Ltd
1 John Charles Way, Leeds, LS12 6QA United Kingdom
Telephone: USA: 1 800 959 3760 Europe: +44 (0) 8701 999500
www.smoothwall.net

Smoothwall Limited is registered in England, Company Number: 4298247. This
email and any attachments transmitted with it are confidential to the
intended recipient(s) and may not be communicated to any other person or
published by any means without the permission of Smoothwall Limited. Any
opinions stated in this message are solely those of the author.
> On 12/03/2013 09:35 AM, David Hubner wrote:
> > I am having a certificate chain issue. Going to the site
> > https://www.tescobank.com/sss/auth which gets the intermediate cert as
> > well as the site cert. We have the CA cert in the certificate store.
> > 
> > It seems gnutls is not verifiying the cert chain and I cannot seem to
> > find out why. I am using gnutls 3.1.16.
> 
> the certificate seems to validate for me (using gnutls 3.2.6) with
> "gnutls-cli www.tescobank.com" -- can you show the full output of the
> above command when you try with 3.1.16 ?
> 
> 	--dkg
> 
> 
> 0 dkg at alice:~$ echo | gnutls-cli www.tescobank.com
> Processed 156 CA certificate(s).
> Resolving 'www.tescobank.com'...
> Connecting to '178.17.64.12:443'...
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
>  - subject `C=GB,ST=Midlothian,L=Haymarket
> Yards,jurisdictionOfIncorporationCountryName=GB,O=Tesco Personal Finance
> PLC,businessCategory=Private
> Organization,serialNumber=SC173199+CN=www.tescobank.com', issuer
> `C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated by
> reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification Authority
> - L1E', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-01-15
> 13:49:50 UTC', expires `2015-01-15 15:04:14 UTC', SHA-1 fingerprint
> `f10ba36343860643ffabbd78ce4bacc79572fab0'
> 	Public Key ID:
> 		0526e859a4c5614ae325df3bd26c260b51b826b1
> 	Public key's random art:
> 		+--[ RSA 2048]----+
> 
> 		|    +=O.o        |
> 		|  
> 		|  .oo at o+ .       |
> 		|  
> 		|   +=+. . .      |
> 		|  
> 		|  E =. o o       |
> 		|  
> 		|   o. o S        |
> 		|   
> 		|     . * .       |
> 		|     
> 		|      .          |
> 
> 		+-----------------+
> 
> - Certificate[1] info:
>  - subject `C=US,O=Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated
> by reference,OU=(c) 2006 Entrust\, Inc.,CN=Entrust Root Certification
> Authority', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by
> ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net
> Secure Server Certification Authority', RSA key 2048 bits, signed using
> RSA-SHA1, activated `2007-01-05 19:20:39 UTC', expires `2017-01-05
> 19:50:39 UTC', SHA-1 fingerprint `bee772b3190ac84bf831f9607d9889ec6a966c16'
> - Certificate[2] info:
>  - subject `C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated
> by reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification
> Authority - L1E', issuer `C=US,O=Entrust\, Inc.,OU=www.entrust.net/CPS
> is incorporated by reference,OU=(c) 2006 Entrust\, Inc.,CN=Entrust Root
> Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
> activated `2009-12-10 20:55:43 UTC', expires `2019-12-10 21:25:43 UTC',
> SHA-1 fingerprint `179a7696db4322813f1c9572b85033841dec020e'
> - Status: The certificate is trusted.
> - Description: (TLS1.0-PKIX)-(RSA)-(AES-128-CBC)-(SHA1)
> - Session ID:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:00:01:64:58:52:9D:F9:67:00:
> 00:00:00:57:1E:31:AC - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
> 
> - Simple Client Mode:
> 
> 0 dkg at alice:~$



More information about the Gnutls-help mailing list