Last active
January 27, 2016 16:45
-
-
Save cornet/7b64526c04f8f695d0f4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com | |
i:/C=US/O=Google Inc/CN=Google Internet Authority G2 | |
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 | |
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nathan@holly ~ $ curl --cacert /etc/ssl/certs/Equifax_Secure_CA.pem --capath / https://accounts.google.com/ | |
<HTML> | |
<HEAD> | |
<TITLE>Moved Temporarily</TITLE> | |
</HEAD> | |
<BODY BGCOLOR="#FFFFFF" TEXT="#000000"> | |
<H1>Moved Temporarily</H1> | |
The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>. | |
</BODY> | |
</HTML> | |
nathan@holly ~ $ curl --cacert /etc/ssl/certs/GeoTrust_Global_CA.pem --capath / https://accounts.google.com/ | |
curl: (60) SSL certificate problem: unable to get local issuer certificate | |
More details here: http://curl.haxx.se/docs/sslcerts.html | |
curl performs SSL certificate verification by default, using a "bundle" | |
of Certificate Authority (CA) public keys (CA certs). If the default | |
bundle file isn't adequate, you can specify an alternate file | |
using the --cacert option. | |
If this HTTPS server uses a certificate signed by a CA represented in | |
the bundle, the certificate verification probably failed due to a | |
problem with the certificate (it might be expired, or the name might | |
not match the domain name in the URL). | |
If you'd like to turn off curl's verification of the certificate, use | |
the -k (or --insecure) option. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Possibly sane | |
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 2>&1 | grep "Verify return code" | |
Verify return code: 20 (unable to get local issuer certificate) | |
# Definitly sane | |
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile empty_file.pem 2>&1 | grep "Verify return code" | |
Verify return code: 20 (unable to get local issuer certificate) | |
# Appears to be same | |
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile GeoTrust_Global_CA.crt 2>&1 | grep "Verify return code" | |
Verify return code: 0 (ok) | |
# WTAF ?! | |
nathan@holly ~ $ openssl s_client -connect accounts.google.com:443 -CAfile Taiwan_GRCA.crt 2>&1 | grep "Verify return code" | |
Verify return code: 0 (ok) | |
^C |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment