Re: [openssl-users] Wget can't validate some certificates.

Sun, 07 Aug 2011 14:50:35 -0700 

Hodie VII Id. Aug. MMXI, Kamil Jońca scripsit:
> I have weird problem with some sites using ssl.
> Mozilla _can_ validate certificate but wget can't, and I don't know if
> it is a debian bug or openssl. 
> Whole story begins at
> http://lists.debian.org/debian-user/2011/06/msg00089.html

The certificate chain sent by the website is this:

0.
  s:/1.3.6.1.4.1.311.60.2.1.3=PL/2.5.4.15=Private 
Organization/serialNumber=0000008723/C=PL/postalCode=50-950/ST=Dolnoslaskie/L=Wroclaw/streetAddress=ul.
  Rynek 9/11/O=Bank Zachodni WBK S.A./OU=Obszar Operacji 
Bankowych/CN=www.centrum24.pl
  i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
SGC CA
  issuer hash bae2cbd8/ac12bd91

1.
  s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
SGC CA
  i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. 
- For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
  subject hash bae2cbd8/ac12bd91
  issuer hash facacbc6/b204d74a

2.
  s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. 
- For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
  i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
  subject hash facacbc6/b204d74a
  issuer hash 7651b327/415660c1

Your wget binary wants to validate the certificate sent in position 2,
which is signed by a previous VeriSign Root CA. So it looks for a file
or link named 415660c1.0 in the /usr/lib/ssl/certs/ directory, and
can't find it. Are you sure it doesn't look for a file or link named
b204d74a.0 in the same directory, after that? Normally, it should try
to validate the position 1 certificate with its certificate store.

-- 
Erwann ABALEA <erwann.aba...@keynectis.com>
Département R&D
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to