I'm reasonably certain that it has been possible to use 'sslcert'
measurements even when the certificate is expired.
Today, I try to use 'sslcert' with trigger-happy.eu and it fails:
"alert": {
"description": 40,
"level": 2
},
And no certificate in the JSON output (this is measurement #12166428)
40 is the very general "handshake failure" of
TLS.
<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6>
Was there a change in Atlas recently? The TLS server does reply:
% gnutls-cli trigger-happy.eu
Processed 167 CA certificate(s).
Resolving 'trigger-happy.eu:443'...
Connecting to '51.254.210.94:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=trigger-happy.eu', issuer `CN=Let's Encrypt Authority X3,O=Let's
Encrypt,C=US', serial 0x0359a66c5eb5da799afe079f87416f8d9641, RSA key 2048
bits, signed using RSA-SHA256, activated `2018-01-13 10:46:26 UTC', expires
`2018-04-13 10:46:26 UTC', key-ID
`sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435'
Public Key ID:
sha1:668c4506a393d9bb633590b68c05d878734d7ffe
sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435
Public key's random art:
+--[ RSA 2048]----+
| +. o++ |
| o +*.=.. |
| .=o* . . . |
| * B o |
| . = S . |
| = . . |
| + E |
| . . |
| |
+-----------------+
- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST
Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256,
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', key-ID
`sha256:60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18'
- Status: The certificate is NOT trusted. The certificate chain uses expired
certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
