Re: Openssl -showcerts "verify error"
On 04/05/2016 23:22, Reco wrote:
Considering that https://secure.gateway.gov.uk tells me about
*selecting* a valid certificate - it could mean that your *client*
became expired recently.
I wondered. The application is a Python package distributed by UK TAX
authority and intended for electronic filing.
Are you thinking it might have its own 'certificate' which it has to
present?
But ... following some other earlier posts by folk using a web browser
to reach the url (and seeming to have success), I tried the same
thing. With a very up to date FF, I received:
"Government Gateway Error - Access Denied (12202)
Please ensure that you have selected a valid certificate and that you
are using the correct address. "
I guess this is what you had, as well. I have done this several
times, now, with Firefox (once with Iceweasel) on Debian 7, D6 LTS,
Fedora 23, MS Vista, MS Win7, all different machines, on a few
different IP addresses, and all produce the same response. Do the Tax
people mean that my Firefox(es) have a certificate (I didn't know
that)? And that it is somehow 'invalid'?
I've tried their (linux) application on two different Debian machines,
and their Windows version, on Vista. Exact same results:
"An SSL error occurred while contacting the Gateway server.
This might be for a number of reasons, including if your system time
is set incorrectly.
SSL error code: CERTIFICATE_VERIFY_FAILED"
(The time is good on the machines.)
.
> Try this:
openssl s_client -showcerts -connect secure.gateway.gov.uk:443 \
-CApath /etc/ssl/certs</dev/null
Reco, here's the output. It looks ok, to me, unless I'm missing
something. Can I assume that the TLS handshake looks as though it
ought to be ok - in that we are not or would not reject or impair the
negotiation? I'd like to feel that our copies of CAs, etc, are ok:
ron@debians5:~$ openssl s_client -showcerts -connect
secure.gateway.gov.uk:443 -CApath /etc/ssl/certs </dev/null
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
verify return:1
depth=0 /C=GB/ST=London/L=London/O=Department for Work and
Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=Department for Work and
Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
{...]
T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
iV/THI2bNvQl6In1tHt8rO8=
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
[...]
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=GB/ST=London/L=London/O=Department for Work and
Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3043 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 56[...]B6
Session-ID-ctx:
Master-Key: 89[...]43
Key-Arg : None
Start Time: 1462400804
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
ron@debians5:~$
Does this, in the dialogue, matter:
---
No client certificate CA names sent
---
Reco, thanks for having taken the time to think about it, grateful.
regards, Ron.
Reply to: