Skip to content

Instantly share code, notes, and snippets.

@svetlyak40wt

svetlyak40wt/bad-megafon-certificate-test.sh

Created June 21, 2014 07:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save svetlyak40wt/5333b5d64b6a13f0b50e to your computer and use it in GitHub Desktop.
Save svetlyak40wt/5333b5d64b6a13f0b50e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
bad-megafon-certificate-test.sh
% openssl s_client -connect lk.megafon.ru:443 -verify 3
verify depth is 3
depth=0 /1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
verify error:num=27:certificate not trusted
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
i:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJTCCBA2gAwIBAgIQJq+JC3Z9gBR+53S47IRSYDANBgkqhkiG9w0BAQUFADCB
izELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE5MDcGA1UECxMw
VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzIChjKTA2
MSowKAYDVQQDEyF0aGF3dGUgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTU0wgQ0EwHhcN
MTMxMjI0MDAwMDAwWhcNMTUxMjI0MjM1OTU5WjCBqjETMBEGCysGAQQBgjc8AgED
EwJSVTEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xFjAUBgNVBAUTDTEw
Mjc4MDkxNjk1ODUxCzAJBgNVBAYTAlJVMQ8wDQYDVQQIFAZNb3Njb3cxDzANBgNV
BAcUBk1vc2NvdzEVMBMGA1UEChQMT0pTQyBNZWdhRm9uMRYwFAYDVQQDFA1say5t
ZWdhZm9uLnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzuwPK3eE
ohpxgBIVGACdeYqcY/EBop68haRcRA0NowtEnJC04UN1+5Y6lPfNxv42zokP96YO
XW7y6DG7r1NflrNxPJXZNoj8ipOxX0zSRrxrTT5UZ3nxIEA7xPIWhS0P1VIzIFan
8BllbuR5hzPvhhws3FmXAuCz+dF42laaB+rOBetDq3ZPocObgK6NZL7sbEJ1F0ZN
/NZEQAAtO+EOTiv4b/GxiEaMXTlujQjkFRnfdix6cVYin0nTQTD9jke7rr5Gp6k/
sExj7VpPWB7Am15yI1bj6TpA98uO2zZSTXhTkxTWaLbHpzQkHLon/hb59qak4arB
qbCU0TCMI7OMuQIDAQABo4IBYjCCAV4wGAYDVR0RBBEwD4INbGsubWVnYWZvbi5y
dTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDA5BgNVHR8EMjAwMC6gLKAqhiho
dHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlRVZDQTIwMDYuY3JsMEIGA1UdIAQ7
MDkwNwYLYIZIAYb4RQEHMAEwKDAmBggrBgEFBQcCARYaaHR0cHM6Ly93d3cudGhh
d3RlLmNvbS9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud
IwQYMBaAFM0y4vJdJUcCqo95SzLuA5n9MEnRMGgGCCsGAQUFBwEBBFwwWjAiBggr
BgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTA0BggrBgEFBQcwAoYoaHR0
cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZUVWQ0EyMDA2LmNlcjANBgkqhkiG9w0B
AQUFAAOCAQEAh8JCCSW1IHFw91SPH/X1rA1P0/ehipgTopH55ogD0wThq49WAFLw
SyQBwePSl74u0L2ZWb6phqoMR4+8lOlQn0pRraC4bxq8GQdL8jRmxyw7nE7Man/9
OGsCFJP8G+89ymjFeEPqZmMQhqpzWLiJ/UqZYTUeWzXrsZJRRWFiw7jTr+PYlSXq
eLqDLY548JTbxajCWzXUJM96Pu3HGFg1RMcIMMjVFzdPhk3VDpPHcl/90Chz1bMi
0V25PWSIXtP/GfuauWRzHCbEHuMRK0P6FvTfx+Axmqy5gBnw1JC0NL1+y7s5BEa3
Qml/JY2L8libeIWMTYTU7l9uIUvDClw6mA==
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
issuer=/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4259 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5C0040509F3270DF88E22C1258E7F229FF8D7DB1DFF14CAD6BEBA10707A2D12A
Session-ID-ctx:
Master-Key: 8EAD8D060A3539A85795250137A87AE5A8D49C4ECAD5688CC52ED1AC19BFE41D36BE381B22CB12D8EF7E758C3E229A4C
Key-Arg : None
Start Time: 1403334532
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
Raw
comments.txt
Обратите внимание на цепочку, которую отдает вебсервер:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=RU/businessCategory=Private Organization/serialNumber=1027809169585/C=RU/ST=Moscow/L=Moscow/O=OJSC MegaFon/CN=lk.megafon.ru
i:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Сертификат 0 это мегафоновский, он подписан thawte Extended Validation SSL CA.
Сертификат 1 thawte Primary Root CA, хотя должен быть thawte Extended Validation SSL CA. На этом некоторые клиенты спотыкаются, при попытке провалидировать эту цепочку.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment