Re: Openssl -showcerts "verify error"

To: debian-user@lists.debian.org
Subject: Re: Openssl -showcerts "verify error"
From: Lisi Reisz <lisi.reisz@gmail.com>
Date: Wed, 4 May 2016 18:54:29 +0100
Message-id: <[🔎] 201605041854.29286.lisi.reisz@gmail.com>
In-reply-to: <[🔎] 1462383601.1774065.598167881.296A1CB0@webmail.messagingengine.com>
References: <[🔎] 572A2284.2070406@tesco.net> <[🔎] 1462383601.1774065.598167881.296A1CB0@webmail.messagingengine.com>

On Wednesday 04 May 2016 18:40:01 William O'Malley wrote:
> On Wed, May 4, 2016, at 12:25 PM, Ron Leach wrote:
> > List, good afternoon,
> >
> > I'd appreciate some advice about how to fix an SSL error I'm hitting
> > while accessing a government website required for online filing.
> > Oddly, this error has just occurred, but we've been using the service
> > without difficulty for a few years.
> >
> > The SSL failure is reported by the application as an
> > "SSL Certificate Verification Error"; no other information.
> >
> > Using openssl -showcerts, a "verify error" is reported.  Here's the
> > dialogue - I've skipped the bulk of the certificate texts.
> >
> > ron@debians5:~$ openssl s_client -showcerts -connect
> > secure.gateway.gov.uk:443 </dev/null
> > CONNECTED(00000003)
> > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > Server CA - G3
> > verify error:num=20:unable to get local issuer certificate
> > verify return:0
> > ---
> > Certificate chain
> >   0 s:/C=GB/ST=London/L=London/O=Department for Work and
> > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
> >     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > Server CA - G3
> > -----BEGIN CERTIFICATE-----
> > MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
> > tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> > [...]
> > T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
> > iV/THI2bNvQl6In1tHt8rO8=
> > -----END CERTIFICATE-----
> >   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > Server CA - G3
> >     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> > Primary Certification Authority - G5
> > -----BEGIN CERTIFICATE-----
> > MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
> > yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> > [...]
> > W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
> > Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/C=GB/ST=London/L=London/O=Department for Work and
> > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
> > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > Server CA - G3
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 3043 bytes and written 447 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> >      Protocol  : TLSv1
> >      Cipher    : AES256-SHA
> >      Session-ID: 89[...]F6
> >      Session-ID-ctx:
> >      Master-Key: 5A[...]93
> >      Key-Arg   : None
> >      Start Time: 1462378147
> >      Timeout   : 300 (sec)
> >      Verify return code: 20 (unable to get local issuer certificate)
> > ---
> > DONE
> > ron@debians5:~$
> >
> >
> > I've updated the machine (using synaptic) with the latest
> > ca_certificates, but the error remains (this is the current output,
> > after certificate updates).
> >
> > The system was working fine last month, but seems to fail today.  I'm
> > not familiar with the 'behind the scenes' workings of openssl and the
> > certificate chains, and would appreciate any insight into what might
> > be going wrong.
> >
> > regards, Ron
>
> Hi,
>
> Have you tried a different browser? I get the following error in Chrome
> when attempting to log in:
>
> ==
> Sorry, you cannot register with, or log in to the Government Gateway
> using this certificate provider and web browser combination. These
> certificates are not currently supported on the Macintosh operating
> system and Netscape 6.x version browsers on all platforms.
>
> Other certificate providers may be added to the Government Gateway
> later. Please check this site regularly to find out which certificates
> can be used for online services.
> ==
>
> The site works fine in IE 11. Looks like it is coded in MS ASP.NET,
> which makes sense. No access to a Debian box right now, unfortunately.

I just logged in without a problem using Chromium "Version 37.0.2062.120 Built 
on Debian 7.6, running on Debian 7.10 (281580) (64-bit)"

Lisi

Reply to:

Follow-Ups:
- Re: Openssl -showcerts "verify error"
  - From: "William O'Malley" <omalleyw@fastmail.net>

References:
- Openssl -showcerts "verify error"
  - From: Ron Leach <ronleach@tesco.net>
- Re: Openssl -showcerts "verify error"
  - From: "William O'Malley" <omalleyw@fastmail.net>

Prev by Date: Re: Openssl -showcerts "verify error"
Next by Date: Re: Openssl -showcerts "verify error"
Previous by thread: Re: Openssl -showcerts "verify error"
Next by thread: Re: Openssl -showcerts "verify error"
Index(es):
- Date
- Thread