Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate.
>From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx Server Certificate Message The server sends its certificate to the client. The server certificate contains the server’s public key. The client uses this key to authenticate the server and to encrypt the Premaster Secret. The Server Certificate message includes: The server’s certificate list. The first certificate in the list is the server’s X.509v3 certificate that contains the server’s public key. Other validating certificates. All other validating certificates, up to but not including the root certificate from the CA, signed by the CA. Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Cristian Thiago Moecke [cont...@cristiantm.com.br] Sent: 18 June 2013 11:43 To: openssl-users@openssl.org Subject: Re: Is it possible to grab CA certificate? If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. What is strange is that exceptions are not working as expected. Is there any chance that the certificate is changing from time to time? I really think you will need to discuss what is happening with the server admins. On Tue, Jun 18, 2013 at 3:07 AM, A A <wemp...@gmail.com> wrote: When I go to SSL site I see this message in fx: "You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. news.ycombinator.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)" And then I go to Add exception -> View -> Details tab -> Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in "Servers" list under my company custom CA certificate in Advanced -> View Certificates -> Servers. All of them are marked "Permanent". Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
