Re: How to make apt-transport-https accept security.debian.org bad certificate?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 20/10/15 09:01, Michael Jones wrote:
> no peer certificate available
correction, needed sni, will re-test
mike@mike-laptop3:~$ openssl s_client -showcerts -connect
debian.org:443 -servername security.debian.org </dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=debian.org
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
- -----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgIQHmVBWGXak08KTLn814tlTjANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTQxMjE3MDAwMDAwWhcNMTUxMjMxMjM1OTU5WjBVMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT
TDETMBEGA1UEAxMKZGViaWFuLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBAOZk5beZFKGdBy/pGg7aKG4TjYPCh+KQG70fEkzKHLY9CA3FgW+N4gF2
dH0tBG5Bv/XFjkDPyO1GsMj/VotTslDPWwcPWk60ic/Vnt7bocm3SP8bgmnvl2ST
q5ygVwNLx+EAyttbh95Df+u4Ro9ShyMQF2/wLrxcPuZ9giTHHcDUNba7O3Rs3vWN
B6hnNTfzo4ZWPL8EzvkJKARKnagIsXeBelGRkCR+LytrEbXPxsejV5UBACVNNVrI
CYpnxT0P270GZXh6Rf/LsKwV0NS3oF5FCdpxOU5so+cb91UbYieRMTACP9GctVOG
wN0dBShyx8y+0gkXdiuFNRjzCdtnnlUHITVq8pYw0oqPauR4asT+Tp0DxhZJpeQs
IhVUwE4jgv42loh+AVDLvU/iUBvF/JMyYiVAeD+rZpfo11GWhyP6tiD8Cupri3XH
WgxnSzLhp3Sv/x2mf36uIwJmbIzwf1UDMEPohc2f0ACepUocfx9SBi4FvAzTUWoL
+1qmpF3HMQIDAQABo4IBrTCCAakwHwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/
Qf1pMOowHQYDVR0OBBYEFP7hAP+qT6A2VIRyXUIM9Odvvp/VMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjBLBgNVHSAERDBCMDYGCysGAQQBsjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBz
Oi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNy
bDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0
cDovL29jc3AudXNlcnRydXN0LmNvbTAlBgNVHREEHjAcggpkZWJpYW4ub3Jngg53
d3cuZGViaWFuLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAj0rkHMJhG0W0AdE6KMLm
UGKgHSY2BUlItsOBGfCVjkQVJCN0BrJdOFJkLs31Ej37NHUuOhCmGtFR238s+64m
CxHedhQ/B5UFvWLpPxLi9QI/W36Avlev9eZRrH8amMMsh7Xz8thLkKMbzCqxHseS
AHAY6xOhNgM5jZJNwzsKHEbFu3vMlg8HcqA6QAB+E3zDVoX+AYk5eM6AyS01LHcH
NmSfassOCzJNfYeSxhWQm+CBz2rcrqZcGMf8YPJuwVZRtC6uJzUeOJkG6Ugb/pTc
o95o4CwlJihQESpoVoLWQP2Kx/zAy4yAghRCoZsKouzULC7Tkzk1mWajg7C2GDpw
vw==
- -----END CERTIFICATE-----
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
- -----BEGIN CERTIFICATE-----
MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
OTEyMDAwMDAwWhcNMjQwOTExMjM1OTU5WjBfMQswCQYDVQQGEwJGUjEOMAwGA1UE
CBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVHYW5kaTEgMB4GA1UE
AxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCUBC2meZV0/9UAPPWu2JSxKXzAjwsLibmCg5duNyj1ohrP0pIL
m6jTh5RzhBCf3DXLwi2SrCG5yzv8QMHBgyHwv/j2nPqcghDA0I5O5Q1MsJFckLSk
QFEW2uSEEi0FXKEfFxkkUap66uEHG4aNAXLy59SDIzme4OFMH2sio7QQZrDtgpbX
bmq08j+1QvzdirWrui0dOnWbMdw+naxb00ENbLAb9Tr1eeohovj0M1JLJC0epJmx
bUi8uBL+cnB89/sCdfSN3tbawKAyGlLfOGsuRTg/PwSWAP2h9KK71RfWJ3wbWFmV
XooS/ZyrgT5SKEhRhWvzkbKGPym1bgNi7tYFAgMBAAGjggF1MIIBcTAfBgNVHSME
GDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUs5Cn2MmvTs1hPJ98
rV1/Qf1pMOowDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGy
MQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAWGf9
crJq13xhlhl+2UNG0SZ9yFP6ZrBrLafTqlb3OojQO3LJUP33WbKqaPWMcwO7lWUX
zi8c3ZgTopHJ7qFAbjyY1lzzsiI8Le4bpOHeICQW8owRc5E69vrOJAKHypPstLbI
FhfFcvwnQPYT/pOmnVHvPCvYd1ebjGU6NSU2t7WKY28HJ5OxYI2A25bUeo8tqxyI
yW5+1mUfr13KFj8oRtygNeX56eXVlogMT8a3d2dIhCe2H7Bo26y/d7CQuKLJHDJd
ArolQ4FCR7vY4Y8MDEZf7kYzawMUgtN+zY+vkNaOJH1AQrRqahfGlZfh8jjNp+20
J0CT33KpuMZmYzc4ZCIwojvxuch7yPspOqsactIGEk72gtQjbz7Dk+XYtsDe3CMW
1hMwt6CaDixVBgBwAc/qOR2A24j3pSC4W/0xJmmPLQphgzpHphNULB7j7UTKvGof
KA5R2d4On3XNDgOVyvnFqSot/kGkoUeuDcL5OWYzSlvhhChZbH2UF3bkRYKtcCD9
0m9jqNf6oDP6N8v3smWe2lBvP+Sn845dWDKXcCMu5/3EFZucJ48y7RetWIExKREa
m9T8bJUox04FB6b9HbwZ4ui3uRGKLXASUoWNjDNKD/yZkuBjcNqllEdjB+dYxzFf
BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM=
- -----END CERTIFICATE-----
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
- -----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
- -----END CERTIFICATE-----
- ---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=debian.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
- ---
No client certificate CA names sent
- ---
SSL handshake has read 5154 bytes and written 449 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 3072 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
0FDEEF23BB374AD9FFD745089144BC133C756C58422B3DD7DE9940D00CF86145
Session-ID-ctx:
Master-Key:
860821762543A792192056F4321B2E7DB29E1015BB56375CA198395CFEFFC89FC54F365E
2D2E29149C947649D66F9C99
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 18 72 e6 3f c2 c8 2a ab-f9 ad a7 a6 b1 67 4d de
.r.?..*......gM.
0010 - f7 c4 6d 2a f9 75 43 13-45 72 0e b0 3d 2f 1b ae
..m*.uC.Er..=/..
0020 - 3e d8 a1 e2 3b cd f4 1d-99 84 66 96 78 e1 16 99
> ...;.....f.x...
0030 - ad e8 e2 c2 c4 63 88 e2-6f cb f7 8c dd 82 37 22
.....c..o.....7"
0040 - 1f 25 3f 00 a6 4b 01 95-b1 7f 5d c1 69 7d 93 77
.%?..K....].i}.w
0050 - 93 81 1e d2 ba 19 6b b4-44 f8 9b 78 22 97 03 94
......k.D..x"...
0060 - 9d ee bd 6e ed 12 af 67-ce 0a 4f 99 88 b2 cc 89
...n...g..O.....
0070 - af 39 34 44 a7 3d 5e 08-40 8a b2 be 68 64 f3 c2
.94D.=^.@...hd..
0080 - ce d9 67 9b b4 d0 b0 b9-89 1b 51 17 e7 5f e2 6a
..g.......Q.._.j
0090 - 29 74 87 47 36 d3 6f 2a-75 31 fd af c2 39 39 25
)t.G6.o*u1...99%
00a0 - 9d 71 bd aa 50 23 72 3b-49 cb 0e 41 49 93 94 c4
.q..P#r;I..AI...
00b0 - 51 50 73 f2 dc ba 8d 2b-2d 0f a5 78 d6 d7 94 66
QPs....+-..x...f
00c0 - e9 85 3e b0 74 d1 11 c9-0e 32 18 3c c7 9e 15 f9
..>.t....2.<....
Start Time: 1445328262
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
- ---
DONE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWJfXsAAoJEOYwtpHNe8FmRHQH/0tJfd69pevGVp4OaR3k0eXS
bJl+e+8oGhQsUJ4H3Tl1cIWDe7xIYRzaussR9eVUZ33VO2qLcbCtUqk3ZKwJj+Y7
Cq+jMBApd5HxoAkkCwhpam0LIbWbm9Hl8n8vj7uP3iC2+hQg38rkJ0vx64ompdfo
qrd6rB0eFexS7qp7PZvC+ub+Gbu5sN3Yn1TlT467aNBZ806w7ssxsk+cRHiseai4
jNbJAtqHSzrJb3F8M+qo+2uwX1qwyQlKRq8Njb9B3qbFjIJZ+v7mBQm1g2WA16n1
e1c8y8GdmKLrQBEDdSWplRb5mn8uJpdFZ6GBkf7MS16DP8LfYAWdhZxvJsZTuNM=
=yCsr
-----END PGP SIGNATURE-----
Reply to: