Re: Openssl -showcerts "verify error"

To: debian-user@lists.debian.org
Subject: Re: Openssl -showcerts "verify error"
From: "William O'Malley" <omalleyw@fastmail.net>
Date: Wed, 04 May 2016 14:05:31 -0400
Message-id: <[🔎] 1462385131.2102082.598201265.168A65F0@webmail.messagingengine.com>
In-reply-to: <[🔎] 201605041854.29286.lisi.reisz@gmail.com>
References: <[🔎] 572A2284.2070406@tesco.net> <[🔎] 1462383601.1774065.598167881.296A1CB0@webmail.messagingengine.com> <[🔎] 201605041854.29286.lisi.reisz@gmail.com>

On Wed, May 4, 2016, at 01:54 PM, Lisi Reisz wrote:
> On Wednesday 04 May 2016 18:40:01 William O'Malley wrote:
> > On Wed, May 4, 2016, at 12:25 PM, Ron Leach wrote:
> > > List, good afternoon,
> > >
> > > I'd appreciate some advice about how to fix an SSL error I'm hitting
> > > while accessing a government website required for online filing.
> > > Oddly, this error has just occurred, but we've been using the service
> > > without difficulty for a few years.
> > >
> > > The SSL failure is reported by the application as an
> > > "SSL Certificate Verification Error"; no other information.
> > >
> > > Using openssl -showcerts, a "verify error" is reported.  Here's the
> > > dialogue - I've skipped the bulk of the certificate texts.
> > >
> > > ron@debians5:~$ openssl s_client -showcerts -connect
> > > secure.gateway.gov.uk:443 </dev/null
> > > CONNECTED(00000003)
> > > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > > Server CA - G3
> > > verify error:num=20:unable to get local issuer certificate
> > > verify return:0
> > > ---
> > > Certificate chain
> > >   0 s:/C=GB/ST=London/L=London/O=Department for Work and
> > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
> > >     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > > Server CA - G3
> > > -----BEGIN CERTIFICATE-----
> > > MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
> > > tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> > > [...]
> > > T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
> > > iV/THI2bNvQl6In1tHt8rO8=
> > > -----END CERTIFICATE-----
> > >   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > > Server CA - G3
> > >     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> > > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> > > Primary Certification Authority - G5
> > > -----BEGIN CERTIFICATE-----
> > > MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
> > > yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> > > [...]
> > > W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
> > > Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
> > > -----END CERTIFICATE-----
> > > ---
> > > Server certificate
> > > subject=/C=GB/ST=London/L=London/O=Department for Work and
> > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
> > > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> > > Server CA - G3
> > > ---
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 3043 bytes and written 447 bytes
> > > ---
> > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > Server public key is 2048 bit
> > > Secure Renegotiation IS supported
> > > Compression: NONE
> > > Expansion: NONE
> > > SSL-Session:
> > >      Protocol  : TLSv1
> > >      Cipher    : AES256-SHA
> > >      Session-ID: 89[...]F6
> > >      Session-ID-ctx:
> > >      Master-Key: 5A[...]93
> > >      Key-Arg   : None
> > >      Start Time: 1462378147
> > >      Timeout   : 300 (sec)
> > >      Verify return code: 20 (unable to get local issuer certificate)
> > > ---
> > > DONE
> > > ron@debians5:~$
> > >
> > >
> > > I've updated the machine (using synaptic) with the latest
> > > ca_certificates, but the error remains (this is the current output,
> > > after certificate updates).
> > >
> > > The system was working fine last month, but seems to fail today.  I'm
> > > not familiar with the 'behind the scenes' workings of openssl and the
> > > certificate chains, and would appreciate any insight into what might
> > > be going wrong.
> > >
> > > regards, Ron
> >
> > Hi,
> >
> > Have you tried a different browser? I get the following error in Chrome
> > when attempting to log in:
> >
> > ==
> > Sorry, you cannot register with, or log in to the Government Gateway
> > using this certificate provider and web browser combination. These
> > certificates are not currently supported on the Macintosh operating
> > system and Netscape 6.x version browsers on all platforms.
> >
> > Other certificate providers may be added to the Government Gateway
> > later. Please check this site regularly to find out which certificates
> > can be used for online services.
> > ==
> >
> > The site works fine in IE 11. Looks like it is coded in MS ASP.NET,
> > which makes sense. No access to a Debian box right now, unfortunately.
> 
> I just logged in without a problem using Chromium "Version 37.0.2062.120
> Built 
> on Debian 7.6, running on Debian 7.10 (281580) (64-bit)"
> 
> Lisi
> 

Version 50.0.2661.94 of Google Chrome here.

--
Will

Reply to:

References:
- Openssl -showcerts "verify error"
  - From: Ron Leach <ronleach@tesco.net>
- Re: Openssl -showcerts "verify error"
  - From: "William O'Malley" <omalleyw@fastmail.net>
- Re: Openssl -showcerts "verify error"
  - From: Lisi Reisz <lisi.reisz@gmail.com>

Prev by Date: Re: Openssl -showcerts "verify error"
Next by Date: Re: WebGL support suddely broken
Previous by thread: Re: Openssl -showcerts "verify error"
Next by thread: Re: Openssl -showcerts "verify error"
Index(es):
- Date
- Thread