Skip to content

Instantly share code, notes, and snippets.

@cornet
Last active January 27, 2016 16:45
Show Gist options
  • Save cornet/7b64526c04f8f695d0f4 to your computer and use it in GitHub Desktop.
Save cornet/7b64526c04f8f695d0f4 to your computer and use it in GitHub Desktop.
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
nathan@holly ~ $ curl --cacert /etc/ssl/certs/Equifax_Secure_CA.pem --capath / https://accounts.google.com/
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>.
</BODY>
</HTML>
nathan@holly ~ $ curl --cacert /etc/ssl/certs/GeoTrust_Global_CA.pem --capath / https://accounts.google.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# Possibly sane
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 2>&1 | grep "Verify return code"
Verify return code: 20 (unable to get local issuer certificate)
# Definitly sane
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile empty_file.pem 2>&1 | grep "Verify return code"
Verify return code: 20 (unable to get local issuer certificate)
# Appears to be same
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile GeoTrust_Global_CA.crt 2>&1 | grep "Verify return code"
Verify return code: 0 (ok)
# WTAF ?!
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile Taiwan_GRCA.crt 2>&1 | grep "Verify return code"
Verify return code: 0 (ok)
^C
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment