Last active
October 13, 2021 14:58
-
-
Save ThomasKoppensteiner/a0c6e41a25bbaf660a4d2d15cb700ab9 to your computer and use it in GitHub Desktop.
Ruby SSL verify test szenarios
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ruby -v | |
jruby 9.3.0.0 (2.6.8) 2021-09-17 85c20e780f OpenJDK 64-Bit Server VM 11+28 on 11+28 [darwin-x86_64] | |
$ ruby ./script.rb | |
./script.rb:76: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER | |
./script.rb:92: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER | |
Scenario 0: only root A, only chain A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 1: root A before B, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 2: root A before B, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 3: root B before A, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 4: root B before A, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 5: root A before B and expired last, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 6: root A before B and expired last, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 7: root B before A and expired last, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 8: root B before A and expired last, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 172886928669790476064670243504169061120>, | |
not_before=2015-06-04 11:04:38 UTC, | |
not_after=2035-06-04 11:04:38 UTC>] | |
Cert store error: | |
0 | |
ok |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ruby -v | |
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19] | |
$ ruby ./script.rb | |
./script.rb:76: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER | |
./script.rb:92: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER | |
./script.rb:76: warning: previous definition of VERIFY_PEER was here | |
Scenario 0: only root A, only chain A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
10 | |
certificate has expired | |
Scenario 1: root A before B, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 2: root A before B, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 3: root B before A, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 172886928669790476064670243504169061120>, | |
not_before=2015-06-04 11:04:38 UTC, | |
not_after=2035-06-04 11:04:38 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 4: root B before A, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 172886928669790476064670243504169061120>, | |
not_before=2015-06-04 11:04:38 UTC, | |
not_after=2035-06-04 11:04:38 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 5: root A before B and expired last, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 6: root A before B and expired last, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078200265644417569109389142156118711>, | |
not_before=2021-01-20 19:14:03 UTC, | |
not_after=2024-09-30 18:14:03 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 91299735575339953335919266965803778155>, | |
not_before=2000-09-30 21:12:19 UTC, | |
not_after=2021-09-30 14:01:15 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 7: root B before A and expired last, chain A before B | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 172886928669790476064670243504169061120>, | |
not_before=2015-06-04 11:04:38 UTC, | |
not_after=2035-06-04 11:04:38 UTC>] | |
Cert store error: | |
0 | |
ok | |
Scenario 8: root B before A and expired last, chain B before A | |
Chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=DST Root CA X3,O=Digital Signature Trust Co.>, | |
serial=#<OpenSSL::BN 85078157426496920958827089468591623647>, | |
not_before=2020-10-07 19:21:40 UTC, | |
not_after=2021-09-29 19:21:40 UTC>] | |
Cert store chain: | |
[#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=geoip.elastic.dev>, | |
issuer=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
serial=#<OpenSSL::BN 435452651231011312001825766803379554023895>, | |
not_before=2021-08-11 09:01:37 UTC, | |
not_after=2021-11-09 09:01:35 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=R3,O=Let's Encrypt,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 192961496339968674994309121183282847578>, | |
not_before=2020-09-04 00:00:00 UTC, | |
not_after=2025-09-15 16:00:00 UTC>, | |
#<OpenSSL::X509::Certificate | |
subject=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
issuer=#<OpenSSL::X509::Name CN=ISRG Root X1,O=Internet Security Research Group,C=US>, | |
serial=#<OpenSSL::BN 172886928669790476064670243504169061120>, | |
not_before=2015-06-04 11:04:38 UTC, | |
not_after=2035-06-04 11:04:38 UTC>] | |
Cert store error: | |
0 | |
ok |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Inspired by: https://gist.github.com/jsvd/cdd0b7421bac7b2a00d64b644eba12c4 | |
# reproducer for https://github.com/jruby/jruby-openssl/issues/236 | |
# If a certificate has two trust paths, jruby doesn't prioritize using non expired certificates, while CRuby (openssl 1.1.1+) does | |
# In this reproducer we have a leaf certificate with two possible chains: | |
# a) leaf -> intermediate cert A -> ISRG Root X1 cross-signed by (expired) DST ROOT CA X3 -> (expired) DST ROOT CA X3 | |
# b) leaf -> intermediate cert B -> ISRG Root X1 | |
# JRuby will produce chain a) causing an error, while CRuby produces a valid chain b) | |
require 'openssl' | |
require 'net/http' | |
def cert_from_url(url) | |
txt = Net::HTTP.get(URI(url)) | |
OpenSSL::X509::Certificate.new(txt) | |
end | |
LEAF_CERTIFICATE = OpenSSL::X509::Certificate.new %q[ | |
-----BEGIN CERTIFICATE----- | |
MIIFKDCCBBCgAwIBAgISBP+uKglvwxGq302F+yCqxvnXMA0GCSqGSIb3DQEBCwUA | |
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD | |
EwJSMzAeFw0yMTA4MTEwOTAxMzdaFw0yMTExMDkwOTAxMzVaMBwxGjAYBgNVBAMT | |
EWdlb2lwLmVsYXN0aWMuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC | |
AQEAtazxd/2FWW1O5evHkDnPi4vcZJDFxs8V0tlI2ppf/OTymlBHMbzBE3BsUEP7 | |
SkT+6kPnqQoy85S66zT4f2XyQfSWUZJeMPMcODl5P0SXEBlKv+ElRYvrsUpuc0ZH | |
ZTIM3+ueUY5M3Xmo9ao+I5evahr4Pf1laRWhHRLzFdKiMn7r1/qXf+PzKqZlzLng | |
cULtVpCTZlOk7CwrsAxwTYdFe1Z0b2ebKs793Ghag2V3D2YtCMuqLa1GP1sBsFRT | |
v1XPehXb5UOWffp3RJnUoG3n7K5cPI6G+fUAGRF3wxKuH+PYyW6/irb5+v4CVVSi | |
z+f29zDYeOc+baWGWFfymktslwIDAQABo4ICTDCCAkgwDgYDVR0PAQH/BAQDAgWg | |
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G | |
A1UdDgQWBBQ23ntd4n192uVjxt9C0B18QYWMyzAfBgNVHSMEGDAWgBQULrMXt1hW | |
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6 | |
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu | |
b3JnLzAcBgNVHREEFTATghFnZW9pcC5lbGFzdGljLmRldjBMBgNVHSAERTBDMAgG | |
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz | |
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1AH0+8viP | |
/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABezSpB0oAAAQDAEYwRAIgC5B1 | |
huzXAJCbtfWO5GGMVj930XNoNPGQj6o8yJfMQnMCIBdlncSV2rymFbZG7Q2PSAim | |
7/PkW/2qD3Vt8Ald8u3DAHcARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2 | |
gagAAAF7NKkJHAAABAMASDBGAiEAnWU3nUNjdHdrE62v0y45WDLj6eyfXkIxAh9Z | |
GAA2wJACIQDtKZNFze3mAj7pE6m3AZMfnq4N0VvO2Ahr0HbpN/xWzDANBgkqhkiG | |
9w0BAQsFAAOCAQEABWFFyolbYnyqDA8ckU0Lm7btCM78CeljjKxVCGTqhlntJhhH | |
NBJcRArzCBkres7Z4yySiJ1vSUXNVvGITVCi2d/zJ5SxBDoT5v8IjEb98KH//9u3 | |
Jb1CfuEADhnEUXjyf4GeIiTHtdKX36jGwTRO3YIa52G6HONbOnQBgcwn8FpYJdIj | |
3C58o5AxWRcVVQbaCFxjGcCLSUSQsJxzilsYE+xVqc+d5GftG3Nmy6l3Ht84693n | |
UwMrb/rlsQC163gtdVEN/GFCeLU+UfFGuSeCmUM3SmAIVfD/yjLvisVpf70pV0Jg | |
p1Px196NI71smu8LxrhX78ErTrR4GpDkx4W+uw== | |
-----END CERTIFICATE----- | |
] | |
EXPIRED_DST_ROOT_CA_X3 = OpenSSL::X509::Certificate.new %q[ | |
-----BEGIN CERTIFICATE----- | |
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ | |
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | |
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow | |
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD | |
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | |
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O | |
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq | |
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b | |
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw | |
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD | |
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV | |
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG | |
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 | |
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr | |
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz | |
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 | |
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo | |
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | |
-----END CERTIFICATE----- | |
] | |
# HINT: Disable SSL verfication for fetching certs | |
org_value = OpenSSL::SSL::VERIFY_PEER | |
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE | |
# Intermediate cert from expired CA (A) | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA = cert_from_url("https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem") | |
# Valid Intermediate cert (B) | |
CHAIN_B_INTERMEDIATE_CERT_VALID = cert_from_url("https://letsencrypt.org/certs/lets-encrypt-r3.pem") | |
# ISRG Root X1 cross-signed by (expired) DST ROOT CA X3 (root for A) | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT = cert_from_url("https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem") | |
# active ISRG Root X1 (root for B) | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT = cert_from_url("https://letsencrypt.org/certs/isrgrootx1.pem") | |
OpenSSL::SSL::VERIFY_PEER = org_value | |
def verfiy_chain(root_bundle, chain) | |
cert_store = OpenSSL::X509::Store.new | |
root_bundle.each {|cert| cert_store.add_cert cert } | |
# let's try to validate the leaf+chain against the root bundle | |
cert_store.verify(LEAF_CERTIFICATE, chain) | |
puts "Chain:" | |
pp chain | |
puts "Cert store chain:" | |
pp cert_store.chain | |
puts "Cert store error:" | |
puts cert_store.error | |
puts cert_store.error_string | |
end | |
puts "" | |
puts "Scenario 0: only root A, only chain A" | |
verfiy_chain( | |
[ | |
EXPIRED_DST_ROOT_CA_X3, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT | |
], | |
[ | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA | |
] | |
) | |
puts "" | |
puts "Scenario 1: root A before B, chain A before B" | |
verfiy_chain( | |
[ | |
EXPIRED_DST_ROOT_CA_X3, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT | |
], | |
[ | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA, | |
CHAIN_B_INTERMEDIATE_CERT_VALID | |
] | |
) | |
puts "" | |
puts "Scenario 2: root A before B, chain B before A" | |
verfiy_chain( | |
[ | |
EXPIRED_DST_ROOT_CA_X3, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT | |
], | |
[ | |
CHAIN_B_INTERMEDIATE_CERT_VALID, | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA | |
] | |
) | |
puts "" | |
puts "Scenario 3: root B before A, chain A before B" | |
verfiy_chain( | |
[ | |
EXPIRED_DST_ROOT_CA_X3, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT | |
], | |
[ | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA, | |
CHAIN_B_INTERMEDIATE_CERT_VALID | |
] | |
) | |
puts "" | |
puts "Scenario 4: root B before A, chain B before A" | |
verfiy_chain( | |
[ | |
EXPIRED_DST_ROOT_CA_X3, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT | |
], | |
[ | |
CHAIN_B_INTERMEDIATE_CERT_VALID, | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA | |
] | |
) | |
puts "" | |
puts "Scenario 5: root A before B and expired last, chain A before B" | |
verfiy_chain( | |
[ | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
EXPIRED_DST_ROOT_CA_X3 | |
], | |
[ | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA, | |
CHAIN_B_INTERMEDIATE_CERT_VALID | |
] | |
) | |
puts "" | |
puts "Scenario 6: root A before B and expired last, chain B before A" | |
verfiy_chain( | |
[ | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
EXPIRED_DST_ROOT_CA_X3, | |
], | |
[ | |
CHAIN_B_INTERMEDIATE_CERT_VALID, | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA | |
] | |
) | |
puts "" | |
puts "Scenario 7: root B before A and expired last, chain A before B" | |
verfiy_chain( | |
[ | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
EXPIRED_DST_ROOT_CA_X3 | |
], | |
[ | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA, | |
CHAIN_B_INTERMEDIATE_CERT_VALID | |
] | |
) | |
puts "" | |
puts "Scenario 8: root B before A and expired last, chain B before A" | |
verfiy_chain( | |
[ | |
CHAIN_B_ACTIVE_ISRG_ROOT_X1_CERT, | |
CHAIN_A_CROSS_SIGNED_ISRG_ROOT_X1_CERT, | |
EXPIRED_DST_ROOT_CA_X3, | |
], | |
[ | |
CHAIN_B_INTERMEDIATE_CERT_VALID, | |
CHAIN_A_INTERMEDIATE_CERT_EXPIRED_CA | |
] | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment