[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug #65009] wget refuses to use legitimate self signed CAs provided
|
From: |
Jeffrey Walton |
|
Subject: |
Re: [bug #65009] wget refuses to use legitimate self signed CAs provided with the --ca-certificate flag |
|
Date: |
Mon, 11 Dec 2023 14:32:25 -0500 |
On Mon, Dec 11, 2023 at 9:54 AM anonymous <INVALID.NOREPLY@gnu.org> wrote:
>
> URL:
> <https://savannah.gnu.org/bugs/?65009>
>
> Summary: wget refuses to use legitimate self signed CAs
> provided with the --ca-certificate flag
> Group: GNU Wget
> Submitter: None
> Submitted: Mon 11 Dec 2023 02:53:19 PM UTC
> Category: Program Logic
> Severity: 3 - Normal
> Priority: 5 - Normal
> Status: None
> Privacy: Public
> Assigned to: None
> Originator Name: David Hadas
> Originator Email: david.hadas@gmail.com
> Open/Closed: Open
> Release: None
> Discussion Lock: Any
> Operating System: Mac OS
> Reproducibility: Every Time
> Fixed Release: None
> Planned Release: None
> Regression: None
> Work Required: None
> Patch Included: None
>
>
> _______________________________________________________
>
> Follow-up Comments:
>
>
> -------------------------------------------------------
> Date: Mon 11 Dec 2023 02:53:19 PM UTC By: Anonymous
> Release: 1.21
>
> ---
>
> Using mTLS with self signed certificates with various tools, it seems wget
> misbehaves and does not add a legitimate self signed CA provided with the
> --ca-certificate flag to the ca pool used internally.
> (I expect that the same issue exists with TLS).
>
> The CA pem is legitimate and well structured as it is used successfully with
> other tools: (1) curl (see below), (2) standard go client and server.
>
> Wget indicates "Self-signed certificate encountered" as an output although the
> CA pem is provided using --ca-certificate
> Wget provides the same response with and without the --ca-certificate...
>
> ---
>
> Here is an example:
> % ./hack/ping.sh
>
> Connect to remote server using mTLS and self signed certificates
>
> Try Curl:
>
> + curl
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> --key prk.pem --cert cert.pem --cacert ca.pem
> <<< Response from the server
> Hello little client, <<< Response from the server
> happy to serve you today <<< Response from the server
> <<< Response from the server
> + set +x
>
> Try Wget:
>
> + wget
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem
> --2023-12-09 08:43:37--
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/
> Resolving
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)...
> 169.63.244.138
> Connecting to
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443...
> connected.
> ERROR: cannot verify
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's
> certificate, issued by ‘CN=test,O=test.research.ibm.com’:
> Self-signed certificate encountered.
> To connect to
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> insecurely, use `--no-check-certificate'.
> + set +x
>
> ---
>
>
> Example running with debug mode:
> % ./hack/ping.sh
>
> Connect to remote server using mTLS and self signed certificates
>
> Try Curl:
>
> + curl -v
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> --key prk.pem --cert cert.pem --cacert ca.pem
> * Trying 169.63.244.138:443...
> * Connected to
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> (169.63.244.138) port 443 (#0)
> * ALPN: offers h2,http/1.1
> * (304) (OUT), TLS handshake, Client hello (1):
> * CAfile: ca.pem
> * CApath: none
> * (304) (IN), TLS handshake, Server hello (2):
> * (304) (IN), TLS handshake, Unknown (8):
> * (304) (IN), TLS handshake, Request CERT (13):
> * (304) (IN), TLS handshake, Certificate (11):
> * (304) (IN), TLS handshake, CERT verify (15):
> * (304) (IN), TLS handshake, Finished (20):
> * (304) (OUT), TLS handshake, Certificate (11):
> * (304) (OUT), TLS handshake, CERT verify (15):
> * (304) (OUT), TLS handshake, Finished (20):
> * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
> * ALPN: server accepted h2
> * Server certificate:
> * subject: O=test.research.ibm.com; CN=test
> * start date: Dec 9 06:42:29 2023 GMT
> * expire date: Jan 8 06:42:29 2024 GMT
> * subjectAltName: host
> "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud"
> matched cert's
> "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud"
> * issuer: O=test.research.ibm.com; CN=test
> * SSL certificate verify ok.
> * using HTTP/2
> * h2 [:method: GET]
> * h2 [:scheme: https]
> * h2 [:authority:
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud]
> * h2 [:path: /]
> * h2 [user-agent: curl/8.1.2]
> * h2 [accept: */*]
> * Using Stream ID: 1 (easy handle 0x147811e00)
> > GET / HTTP/2
> > Host:
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> > User-Agent: curl/8.1.2
> > Accept: */*
> >
> < HTTP/2 200
> < content-type: text/plain; charset=utf-8
> < content-length: 51
> < date: Sat, 09 Dec 2023 06:53:45 GMT
> <
>
> Hello little client,
> happy to serve you today
>
> * Connection #0 to host
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> left intact
> + set +x
>
> Try Wget:
>
> + wget -d
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem
> Setting --private-key (privatekey) to prk.pem
> Setting --certificate (certificate) to cert.pem
> Setting --ca-certificate (cacertificate) to ca.pem
> DEBUG output created by Wget 1.21.4 on darwin22.4.0.
>
> Reading HSTS entries from /Users/davidhadas/.wget-hsts
> URI encoding = ‘UTF-8’
> Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
> --2023-12-09 08:53:45--
> https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/
> Resolving
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)...
> 169.63.244.138
> Caching
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> => 169.63.244.138
> Connecting to
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443...
> connected.
> Created socket 5.
> Releasing 0x0000600003c62480 (new refcount 1).
> Initiating SSL handshake.
> Handshake successful; connected socket 5 to SSL handle 0x0000000143008200
> certificate:
> subject: CN=test,O=test.research.ibm.com
> issuer: CN=test,O=test.research.ibm.com
> ERROR: cannot verify
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's
> certificate, issued by ‘CN=test,O=test.research.ibm.com’:
> Self-signed certificate encountered.
> To connect to
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> insecurely, use `--no-check-certificate'.
> Closed 5/SSL 0x0000000143008200
> + set +x
>
> ---
>
> % wget --version
> GNU Wget 1.21.4 built on darwin22.4.0.
>
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
> +ntlm +opie -psl +ssl/openssl
>
> Wgetrc:
> /opt/homebrew/etc/wgetrc (system)
> Locale:
> /opt/homebrew/Cellar/wget/1.21.4/share/locale
> Compile:
> clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/homebrew/etc/wgetrc"
> -DLOCALEDIR="/opt/homebrew/Cellar/wget/1.21.4/share/locale" -I.
> -I../lib -I../lib -I/opt/homebrew/opt/openssl@3/include
> -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g -O2
> Link:
> clang -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g
> -O2 -L/opt/homebrew/Cellar/libidn2/2.3.4_1/lib -lidn2
> -L/opt/homebrew/opt/openssl@3/lib -lssl -lcrypto -ldl -lz
> ../lib/libgnu.a -liconv -lintl -Wl,-framework -Wl,CoreFoundation
> -lunistring
Here's a quick analysis, if it helps...
According to OpenSSL docs
(https://www.openssl.org/docs/man1.0.2/man1/verify.html), the error 21
is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE. The error is documented
as:
no signatures could be verified because the chain contains
only one certificate and it is not self signed.
It looks like Authority Key Identifier (AKID) does not equal Subject
Key Identifier (SKID). The Subject Key Identifier is an X509
extension, but it appears to be missing from the certificate. I would
expect to see something like this from OpenSSL:
X509v3 extensions:
X509v3 Subject Key Identifier:
62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86
X509v3 Authority Key Identifier:
62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86
According to RFC 5280, the AKID is a MUST
(https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1). The
SKID is a SHOULD in end-entity certificates
(https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2). It is
not a MUST for SKID.
If this is the problem, then I expect the following would clear the
issue with an OpenSSL backend:
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
The Subject Alt Name "Any" (shown below as "DNS:any, DNS:any") is
suspicious. Hostnames must be fully qualified domain names per the
CA/B Baseline Requirements. I did not check the RFCs, but the RFCs
probably allow it.
The Subject Alt Name "127.0.0.1" is also suspicious. I've never seen
localhost's IP address listed in the SAN. I've seen private IP
addresses, but not localhost.
Also, if you want the Common Name (CN) test.research.ibm.com to
validate, then it must also be listed in the Subject Alt Name (SAN).
It cannot be placed in the CN only; it must be in both the CN and SAN.
Jeff
-----
$ export
host=myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
$ openssl s_client -connect ${host}:443 -servername ${host} | openssl
x509 -text -noout
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e8:a5:d3:b9:e5:65:cd:2e:8c:6c:a1:bc:07:5c:0a:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = test.research.ibm.com, CN = test
Validity
Not Before: Dec 11 12:08:59 2023 GMT
Not After : Jan 10 12:08:59 2024 GMT
Subject: O = research.ibm.com, CN = test.research.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:65:0a:0d:a6:2f:98:c7:39:4a:35:65:7c:81:
74:66:7e:a0:c2:ae:46:02:21:3f:30:0e:10:4d:10:
4a:49:d1:d7:81:90:9f:30:80:50:6b:dd:91:a1:22:
1d:37:ba:9e:97:7c:4b:ce:6d:ca:f1:c2:e5:e3:4c:
ba:ad:cc:cb:2f:df:8f:2e:7b:bd:e7:71:5e:04:f5:
6c:22:33:7d:ae:ee:4e:5f:54:b1:ab:cb:94:34:85:
18:aa:4c:42:02:46:6a:d4:4b:ac:26:47:9f:7b:01:
15:c5:bb:38:48:d7:cd:f8:2a:e1:13:83:b9:2e:26:
03:29:3a:da:81:31:9e:63:bf:38:e7:87:3d:c5:98:
d1:ee:f2:fd:7b:83:12:ee:c8:9c:5b:7c:28:2a:3c:
ac:be:91:02:02:9b:f5:98:26:19:d3:22:69:e6:1b:
87:69:15:dd:62:84:ea:3d:f5:8f:c8:f7:12:a9:0c:
2b:0a:22:6f:f1:bf:43:38:73:6f:5a:fb:c3:35:67:
ad:ee:ed:ac:9e:42:1a:b9:35:7e:f5:db:43:88:07:
e8:1b:f7:36:39:e3:d6:31:11:44:00:91:97:6b:61:
d5:90:71:c9:99:1b:85:fa:53:ce:3e:d7:1f:5c:70:
ba:01:9c:68:0a:11:bf:1f:7d:e2:62:b4:30:b6:77:
dd:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86
X509v3 Subject Alternative Name:
DNS:any, DNS:any,
DNS:myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud,
IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
cc:b1:cc:83:e7:02:39:b1:67:97:58:04:2d:ba:da:ea:88:f7:
0a:12:21:c1:6e:65:65:e8:98:02:7e:44:1a:3d:3d:1b:52:59:
f3:76:5f:b0:6e:c8:ae:28:fe:be:fa:a4:ec:2d:7f:7d:5d:5a:
07:83:5d:83:72:23:7b:d2:76:60:28:7f:85:51:51:31:2a:18:
a7:2a:9a:44:99:b2:0d:de:59:ad:10:56:cb:1d:fc:9c:11:2e:
18:73:05:22:e2:c1:e8:f1:18:20:fc:67:ee:b1:f6:7b:08:63:
8a:21:b5:04:47:a4:77:03:02:50:33:2c:3f:07:a3:ed:fd:c5:
7b:34:a5:6d:5b:7f:6f:22:95:36:88:68:7b:73:5d:38:78:bc:
f1:21:ae:e1:81:46:5e:dd:0e:84:e9:6f:e6:37:19:b9:14:da:
2c:8f:f5:17:4c:a6:7e:77:6e:ce:dc:72:cb:ad:e8:09:9b:47:
e0:6f:97:d5:90:e7:6e:92:67:76:54:d0:87:63:ee:7a:76:98:
9f:b6:05:83:26:8c:94:cd:a1:0b:99:56:fa:b8:47:49:55:e8:
08:b2:80:92:b3:01:4d:f6:ed:9b:ef:33:73:f2:ac:ab:ed:a0:
2a:83:65:81:34:f2:dd:49:01:55:ed:73:fb:99:2b:cc:41:21:
a7:1b:36:61
-----
$ export
host=myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
$ openssl s_client -connect ${host}:443 -servername ${host}
CONNECTED(00000003)
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = research.ibm.com, CN = test.research.ibm.com
verify return:1
---
Certificate chain
0 s:O = research.ibm.com, CN = test.research.ibm.com
i:O = test.research.ibm.com, CN = test
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 11 12:08:59 2023 GMT; NotAfter: Jan 10 12:08:59 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIRAOil07nlZc0ujGyhvAdcCnYwDQYJKoZIhvcNAQELBQAw
LzEeMBwGA1UEChMVdGVzdC5yZXNlYXJjaC5pYm0uY29tMQ0wCwYDVQQDEwR0ZXN0
MB4XDTIzMTIxMTEyMDg1OVoXDTI0MDExMDEyMDg1OVowOzEZMBcGA1UEChMQcmVz
ZWFyY2guaWJtLmNvbTEeMBwGA1UEAxMVdGVzdC5yZXNlYXJjaC5pYm0uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02UKDaYvmMc5SjVlfIF0Zn6g
wq5GAiE/MA4QTRBKSdHXgZCfMIBQa92RoSIdN7qel3xLzm3K8cLl40y6rczLL9+P
Lnu953FeBPVsIjN9ru5OX1Sxq8uUNIUYqkxCAkZq1EusJkefewEVxbs4SNfN+Crh
E4O5LiYDKTragTGeY78454c9xZjR7vL9e4MS7sicW3woKjysvpECApv1mCYZ0yJp
5huHaRXdYoTqPfWPyPcSqQwrCiJv8b9DOHNvWvvDNWet7u2snkIauTV+9dtDiAfo
G/c2OePWMRFEAJGXa2HVkHHJmRuF+lPOPtcfXHC6AZxoChG/H33iYrQwtnfduQID
AQABo4HaMIHXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRiPZ3VkQmr+gKIQ4yr
vqEBHet9hjB3BgNVHREEcDBuggNhbnmCA2FueYJcbXlhcHAtZGVmYXVsdC5teW9z
LWU2MjFjN2Q3MzNlY2UxZmFkNzM3ZmY1NGE4OTEyODIyLTAwMDAudXMtc291dGgu
Y29udGFpbmVycy5hcHBkb21haW4uY2xvdWSHBH8AAAEwDQYJKoZIhvcNAQELBQAD
ggEBAMyxzIPnAjmxZ5dYBC262uqI9woSIcFuZWXomAJ+RBo9PRtSWfN2X7BuyK4o
/r76pOwtf31dWgeDXYNyI3vSdmAof4VRUTEqGKcqmkSZsg3eWa0QVssd/JwRLhhz
BSLiwejxGCD8Z+6x9nsIY4ohtQRHpHcDAlAzLD8Ho+39xXs0pW1bf28ilTaIaHtz
XTh4vPEhruGBRl7dDoTpb+Y3GbkU2iyP9RdMpn53bs7ccsut6AmbR+Bvl9WQ526S
Z3ZU0Idj7np2mJ+2BYMmjJTNoQuZVvq4R0lV6AiygJKzAU327ZvvM3PyrKvtoCqD
ZYE08t1JAVXtc/uZK8xBIacbNmE=
-----END CERTIFICATE-----
subject=O = research.ibm.com, CN = test.research.ibm.com
issuer=O = test.research.ibm.com, CN = test
---
Acceptable client certificate CA names
CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM
C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier =
VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion,
OU = ANF CA Raiz, CN = ANF Secure Server Root CA
C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis
Authentication Root CA
C = US, O = AffirmTrust, CN = AffirmTrust Commercial
C = US, O = AffirmTrust, CN = AffirmTrust Networking
C = US, O = AffirmTrust, CN = AffirmTrust Premium
C = US, O = AffirmTrust, CN = AffirmTrust Premium ECC
C = US, O = Amazon, CN = Amazon Root CA 1
C = US, O = Amazon, CN = Amazon Root CA 2
C = US, O = Amazon, CN = Amazon Root CA 3
C = US, O = Amazon, CN = Amazon Root CA 4
CN = Atos TrustedRoot 2011, O = Atos, C = DE
C = ES, CN = Autoridad de Certificacion Firmaprofesional CIF A62634068
C = CN, O = BEIJING CERTIFICATE AUTHORITY, CN = BJCA Global Root CA1
C = CN, O = BEIJING CERTIFICATE AUTHORITY, CN = BJCA Global Root CA2
C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA
C = NO, O = Buypass AS-983163327, CN = Buypass Class 3 Root CA
C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R2
C = CN, O = China Financial Certification Authority, CN = CFCA EV ROOT
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO Certification Authority
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO ECC Certification Authority
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority
C = US, O = Certainly, CN = Certainly Root E1
C = US, O = Certainly, CN = Certainly Root R1
C = FR, O = Dhimyotis, CN = Certigna
C = FR, O = Dhimyotis, OU = 0002 48146308100036, CN = Certigna Root CA
C = PL, O = Asseco Data Systems S.A., OU = Certum Certification
Authority, CN = Certum EC-384 CA
C = PL, O = Unizeto Technologies S.A., OU = Certum Certification
Authority, CN = Certum Trusted Network CA
C = PL, O = Unizeto Technologies S.A., OU = Certum Certification
Authority, CN = Certum Trusted Network CA 2
C = PL, O = Asseco Data Systems S.A., OU = Certum Certification
Authority, CN = Certum Trusted Root CA
C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited,
CN = AAA Certificate Services
C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 1 2020
C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 1 2020
C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 2009
C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 EV 2009
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured
ID Root CA
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured
ID Root G2
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured
ID Root G3
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
C = US, O = "DigiCert, Inc.", CN = DigiCert TLS ECC P384 Root G5
C = US, O = "DigiCert, Inc.", CN = DigiCert TLS RSA4096 Root G5
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve
Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra
Certification Authority
C = TR, L = Ankara, O = E-Tugra EBG A.S., OU = E-Tugra Trust Center,
CN = E-Tugra Global Root CA ECC v3
C = TR, L = Ankara, O = E-Tugra EBG A.S., OU = E-Tugra Trust Center,
CN = E-Tugra Global Root CA RSA v3
O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
Certification Authority (2048)
C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated
by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root
Certification Authority
C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU
= "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Root Certification Authority - EC1
C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU
= "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust
Root Certification Authority - G2
C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU
= "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust
Root Certification Authority - G4
C = CN, O = "GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", CN = GDCA
TrustAUTH R5 ROOT
C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020
C = US, O = Google Trust Services LLC, CN = GTS Root R1
C = US, O = Google Trust Services LLC, CN = GTS Root R2
C = US, O = Google Trust Services LLC, CN = GTS Root R3
C = US, O = Google Trust Services LLC, CN = GTS Root R4
OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign
OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign
C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign
C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root E46
C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root R46
C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2
Certification Authority
C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go
Daddy Root Certificate Authority - G2
C = GR, O = Hellenic Academic and Research Institutions CA, CN =
HARICA TLS ECC Root CA 2021
C = GR, O = Hellenic Academic and Research Institutions CA, CN =
HARICA TLS RSA Root CA 2021
C = GR, L = Athens, O = Hellenic Academic and Research Institutions
Cert. Authority, CN = Hellenic Academic and Research Institutions ECC
RootCA 2015
C = GR, L = Athens, O = Hellenic Academic and Research Institutions
Cert. Authority, CN = Hellenic Academic and Research Institutions
RootCA 2015
C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = HiPKI Root CA - G1
C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1
C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN =
Hongkong Post Root CA 3
C = US, O = Internet Security Research Group, CN = ISRG Root X1
C = US, O = Internet Security Research Group, CN = ISRG Root X2
C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
C = US, O = IdenTrust, CN = IdenTrust Public Sector Root CA 1
C = ES, O = IZENPE S.A., CN = Izenpe.com
C = HU, L = Budapest, O = Microsec Ltd., CN = Microsec e-Szigno Root
CA 2009, emailAddress = info@e-szigno.hu
C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate
Authority 2017
C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate
Authority 2017
C = KR, O = NAVER BUSINESS PLATFORM Corp., CN = NAVER Global Root
Certification Authority
C = HU, L = Budapest, O = NetLock Kft., OU =
Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN =
NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny
C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE
WISeKey Global Root GB CA
C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE
WISeKey Global Root GC CA
C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 1 G3
C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3
C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 G3
C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV
Root Certification Authority ECC
C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV
Root Certification Authority RSA R2
C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com
Root Certification Authority ECC
C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com
Root Certification Authority RSA
C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2
C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11
C = US, O = SecureTrust Corporation, CN = SecureTrust CA
C = US, O = SecureTrust Corporation, CN = Secure Global CA
C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security
Communication ECC RootCA1
C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2
C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3
C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1
C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2
Certification Authority
C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", CN = Starfield Root Certificate Authority - G2
C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", CN = Starfield Services Root Certificate Authority - G2
C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2
C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust
Center, CN = T-TeleSec GlobalRoot Class 2
C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust
Center, CN = T-TeleSec GlobalRoot Class 3
C = TR, L = Gebze - Kocaeli, O = Turkiye Bilimsel ve Teknolojik
Arastirma Kurumu - TUBITAK, OU = Kamu Sertifikasyon Merkezi - Kamu SM,
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Global Root CA
C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority
O = TeliaSonera, CN = TeliaSonera Root CA v1
C = FI, O = Telia Finland Oyj, CN = Telia Root CA v2
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L.,
OU = TrustCor Certificate Authority, CN = TrustCor ECA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L.,
OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L.,
OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2
C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN
= Trustwave Global Certification Authority
C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN
= Trustwave Global ECC P256 Certification Authority
C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN
= Trustwave Global ECC P384 Certification Authority
C = TN, O = Agence Nationale de Certification Electronique, CN =
TunTrust Root CA
C = CN, O = UniTrust, CN = UCA Extended Validation Root
C = CN, O = UniTrust, CN = UCA Global G2 Root
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust ECC Certification Authority
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority
C = US, OU = www.xrampsecurity.com, O = XRamp Security Services Inc,
CN = XRamp Global Certification Authority
C = RO, O = certSIGN, OU = certSIGN ROOT CA
C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2
C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier =
VATHU-23584497, CN = e-Szigno Root CA 2017
C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = ePKI Root Certification Authority
C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign ECC Root CA - C3
C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign
ECC Root CA - G3
C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign Root CA - C1
C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign
Root CA - G1
C = CN, O = "iTrusChina Co.,Ltd.", CN = vTrus ECC Root CA
C = CN, O = "iTrusChina Co.,Ltd.", CN = vTrus Root CA
O = test.research.ibm.com, CN = test
Requested Signature Algorithms:
RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 16306 bytes and written 488 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
409769EDBA7F0000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13
alert certificate required:../ssl/record/rec_layer_s3.c:1584:SSL alert
number 116