[lug] Understanding a SSL/TLS Certificate Issue
David Stearns
stearns at dhyw.com
Thu Jun 18 17:49:26 MDT 2020
I definitely get a different result against 465 than I do against 443, so
I'll walk through this again using that and see if we get a
different result!
First, connect to 465 and print out the certs. This time we see 3 certs in
the chain (root not included, since it's never sent as part of the chain,
being the trust anchor).
> $ openssl s_client -host www.cotse.net -port 465 -prexit -showcerts -crlf
> CONNECTED(00000003)
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
> CN = Sectigo RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
> www.cotse.net
> verify return:1
> ---
> Certificate chain
> 0 s:OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
> www.cotse.net
> i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
> = Sectigo RSA Domain Validation Secure Server CA
> -----BEGIN CERTIFICATE-----
> MIIGmzCCBYOgAwIBAgIRAKReLcVz2D28T82Ck9wsWngwDQYJKoZIhvcNAQELBQAw
> gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
> BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
> AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
> QTAeFw0xOTAxMTgwMDAwMDBaFw0yMTA0MTcyMzU5NTlaMF4xITAfBgNVBAsTGERv
> bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
> dGktRG9tYWluMRYwFAYDVQQDEw13d3cuY290c2UubmV0MIIBIjANBgkqhkiG9w0B
> AQEFAAOCAQ8AMIIBCgKCAQEA28AyLLQNQ/0Xor/6uqGO8dD4LQlYTfOJtKUx9LRX
> aeIgnYConKsw1pe0dDBNdWUf6IJceGG3Hyk0yf8M8RpB+2uuimyTTpEIp1lCzydf
> QsaUEz3DOCCiQNhr9bvuVhVjvZirKfZIpnXzmoIa7k6zCr4M6sdadeDCk0MVvq2Q
> 2LWiXyH6JEI0704dC0Gi8MerBFKjXDJ9PXjrGoNigW7oTdC0zIIXzLstUHlJHEHB
> RDpJFNmpx1UgmqYYrMTyVQORoRfmKHGnQHR4Y5R+0nn/CEsbUsQ61Rzn5UgbyZ1C
> hdG3MLQRDZeDWdljZbqfYj2bjWT4renOlSnCKa5T8VqtGwIDAQABo4IDIDCCAxww
> HwYDVR0jBBgwFoAUjYxexFStiuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFKW3NX/z
> 2scuDI4ZxqwrkszZseRwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
> A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQB
> sjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgG
> BmeBDAECATCBhAYIKwYBBQUHAQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0
> LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2Vy
> dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTBJ
> BgNVHREEQjBAgg13d3cuY290c2UubmV0ggljb3RzZS5uZXSCD2lkZW50aWNsb2Fr
> LmNvbYITd3d3LmlkZW50aWNsb2FrLmNvbTCCAX4GCisGAQQB1nkCBAIEggFuBIIB
> agFoAHcAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFoYjIzVgAA
> BAMASDBGAiEAg17iMrQOqdjnLl+0HxIkGEce3XY7xm5L1oApfX3Kb2ICIQD18Qbs
> i49EvcPeufqzS1/qz1YtFVihSqtaAEYQ6d4sTwB2AESUZS6w7s6vxEAH2Kj+KMDa
> 5oK+2MsxtT/TM5a1toGoAAABaGIyM6YAAAQDAEcwRQIgUv7J3oH3HULi/V6mbhbV
> INmaf5QR5phDsUYyWwCnveACIQDMzkqER4yClBlXURphmffOVm9sJMeZtb5kMiny
> DySZ1QB1AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABaGIyM6IA
> AAQDAEYwRAIgIPbtlwvc1VCiaekLdUTnQF1KWiK8Zk9/nkKaE50il9MCIA0TZ+Zq
> Z8AyRw+uWBw2rVZoHxFhwnffsy8irqjhicuAMA0GCSqGSIb3DQEBCwUAA4IBAQB/
> VnShFC2gYePuwivWToWlMD21FTT5nbCCzifKrYrpJ/ZGhp1kK/9YqQdvhUasoVYC
> YWnhe5xQknGVTLQ9WRRtAX1yx3gYwJi4PLNILJJsBM8U/ARjYdb/In0XiKo+MkhX
> oAkc+YYVBHtDilTl3exepGHNUHwSPx9CigSBe5osPrxSYpHw9SRKTt4pm/cvycLE
> 1+c7Gc+Mgyqb1wWsfpx3yRaumv0EvdPUiPRIZASbo0/hc/KCIchIU2TUcrseHDfx
> kq5AegefqIwYMjQaiclb1P9dLF3Zi5+ChuBMM9H84e8KWKUNst05sbPm5yj+V3/n
> iISXn9mpmHgX0KHivQk4
> -----END CERTIFICATE-----
> 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
> = Sectigo RSA Domain Validation Secure Server CA
> i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
> CN = USERTrust RSA Certification Authority
> -----BEGIN CERTIFICATE-----
> MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
> iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
> cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
> BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
> MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
> BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
> ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
> VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
> AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
> TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
> eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
> oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
> Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
> uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
> BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
> +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
> A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
> CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
> LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
> BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
> bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
> L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
> ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
> 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
> H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
> RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
> xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
> sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
> l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
> 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
> LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
> yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
> 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
> -----END CERTIFICATE-----
> 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
> CN = USERTrust RSA Certification Authority
> i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
> AddTrust External CA Root
> -----BEGIN CERTIFICATE-----
> MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
> MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
> ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
> eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
> gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
> ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
> VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
> BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
> UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
> tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
> jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
> 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
> AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
> Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
> N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
> qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
> HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
> +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
> HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
> A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
> BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
> HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
> dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
> dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
> lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
> RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
> YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
> Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
> Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
> 0fKtirOMxyHNwu8=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
> www.cotse.net
> issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
> CN = Sectigo RSA Domain Validation Secure Server CA
> ---
> Acceptable client certificate CA names
> C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN =
> Sectigo RSA Domain Validation Secure Server CA
> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN =
> USERTrust RSA Certification Authority
> Client Certificate Types: RSA sign, DSA sign, ECDSA sign
> Requested Signature Algorithms:
> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
> Shared Requested Signature Algorithms:
> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
> Peer signing digest: SHA512
> Peer signature type: RSA
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 5664 bytes and written 453 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 0E9772EB4AA76E26485609B51C34EC1F046520F7BB084FA9A587745A65F8A2F6
> Session-ID-ctx:
> Master-Key:
> AF87401FE9C3DF1FD35DEA9152BD2EDD115BFBBD464D2BCDAE5938EEDF89322F74E440EB6CB61AA2300A756692395B4C
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 1 (seconds)
> TLS session ticket:
> 0000 - 61 35 e8 bd 2f 81 f1 f4-2e c1 e1 b9 e7 42 d7 d6
> a5../........B..
> 0010 - a5 8b e4 b7 ac af 96 84-72 b0 38 dc a3 d7 47 88
> ........r.8...G.
> 0020 - 27 33 51 f6 b2 7e e3 92-8d 35 e9 22 a1 6c 4d a9
> '3Q..~...5.".lM.
> 0030 - fd 8c 2d 60 79 5c c5 74-0f 40 ee 52 8c 9d 03 c1 ..-`y\.t.@
> .R....
> 0040 - 7a f1 ec 33 30 60 29 77-bc 4e 89 f9 81 a4 49 1f
> z..30`)w.N....I.
> 0050 - 0e 70 d6 e9 44 33 fc 05-59 83 82 f4 4a 9b b6 f0
> .p..D3..Y...J...
> 0060 - ef f3 25 bf c0 69 51 ac-6b ca 0d c5 72 90 c4 0f
> ..%..iQ.k...r...
> 0070 - 8e c2 6d a2 b3 f2 cf e0-e7 02 9c c8 ce db 24 13
> ..m...........$.
> 0080 - 85 9c 27 c2 a2 65 87 18-74 7b 1e 88 66 14 ca 1c
> ..'..e..t{..f...
> 0090 - e9 2d f7 4a 32 6f 2f 19-2d e4 ca 9c af 5d 47 0f
> .-.J2o/.-....]G.
> 00a0 - 3b 8e bc 08 a2 55 3c f4-a5 4e 6a fd 14 80 b6 f4
> ;....U<..Nj.....
> Start Time: 1592523236
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> ---
> 220 out.packetderm.com ESMTP CotseMail 5.7.4/5.7.4; Thu, 18 Jun 2020
> 19:33:56 -0400 (EDT)
>
I'm going to copy/past those three certs, including the BEGIN/END lines
into three different files. server.pem, inter1.pem, and inter2.pem (in
order).
Next, let's take a look at server.pem, see what it's data is:
> $ openssl x509 -in server.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> a4:5e:2d:c5:73:d8:3d:bc:4f:cd:82:93:dc:2c:5a:78
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
> Limited, CN = Sectigo RSA Domain Validation Secure Server CA
> Validity
> Not Before: Jan 18 00:00:00 2019 GMT
> Not After : Apr 17 23:59:59 2021 GMT
> Subject: OU = Domain Control Validated, OU = PositiveSSL
> Multi-Domain, CN = www.cotse.net
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:db:c0:32:2c:b4:0d:43:fd:17:a2:bf:fa:ba:a1:
> 8e:f1:d0:f8:2d:09:58:4d:f3:89:b4:a5:31:f4:b4:
> 57:69:e2:20:9d:80:a8:9c:ab:30:d6:97:b4:74:30:
> 4d:75:65:1f:e8:82:5c:78:61:b7:1f:29:34:c9:ff:
> 0c:f1:1a:41:fb:6b:ae:8a:6c:93:4e:91:08:a7:59:
> 42:cf:27:5f:42:c6:94:13:3d:c3:38:20:a2:40:d8:
> 6b:f5:bb:ee:56:15:63:bd:98:ab:29:f6:48:a6:75:
> f3:9a:82:1a:ee:4e:b3:0a:be:0c:ea:c7:5a:75:e0:
> c2:93:43:15:be:ad:90:d8:b5:a2:5f:21:fa:24:42:
> 34:ef:4e:1d:0b:41:a2:f0:c7:ab:04:52:a3:5c:32:
> 7d:3d:78:eb:1a:83:62:81:6e:e8:4d:d0:b4:cc:82:
> 17:cc:bb:2d:50:79:49:1c:41:c1:44:3a:49:14:d9:
> a9:c7:55:20:9a:a6:18:ac:c4:f2:55:03:91:a1:17:
> e6:28:71:a7:40:74:78:63:94:7e:d2:79:ff:08:4b:
> 1b:52:c4:3a:d5:1c:e7:e5:48:1b:c9:9d:42:85:d1:
> b7:30:b4:11:0d:97:83:59:d9:63:65:ba:9f:62:3d:
> 9b:8d:64:f8:ad:e9:ce:95:29:c2:29:ae:53:f1:5a:
> ad:1b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
> X509v3 Subject Key Identifier:
> A5:B7:35:7F:F3:DA:C7:2E:0C:8E:19:C6:AC:2B:92:CC:D9:B1:E4:70
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 Certificate Policies:
> Policy: 1.3.6.1.4.1.6449.1.2.2.7
> CPS: https://sectigo.com/CPS
> Policy: 2.23.140.1.2.1
> Authority Information Access:
> CA Issuers - URI:
> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
> OCSP - URI:http://ocsp.sectigo.com
> X509v3 Subject Alternative Name:
> DNS:www.cotse.net, DNS:cotse.net, DNS:identicloak.com,
> DNS:www.identicloak.com
> CT Precertificate SCTs:
> Signed Certificate Timestamp:
> Version : v1 (0x0)
> Log ID :
> BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
>
> 38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
> Timestamp : Jan 18 18:21:23.670 2019 GMT
> Extensions: none
> Signature : ecdsa-with-SHA256
>
> 30:46:02:21:00:83:5E:E2:32:B4:0E:A9:D8:E7:2E:5F:
>
> B4:1F:12:24:18:47:1E:DD:76:3B:C6:6E:4B:D6:80:29:
>
> 7D:7D:CA:6F:62:02:21:00:F5:F1:06:EC:8B:8F:44:BD:
>
> C3:DE:B9:FA:B3:4B:5F:EA:CF:56:2D:15:58:A1:4A:AB:
> 5A:00:46:10:E9:DE:2C:4F
> Signed Certificate Timestamp:
> Version : v1 (0x0)
> Log ID :
> 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
>
> DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
> Timestamp : Jan 18 18:21:23.750 2019 GMT
> Extensions: none
> Signature : ecdsa-with-SHA256
>
> 30:45:02:20:52:FE:C9:DE:81:F7:1D:42:E2:FD:5E:A6:
>
> 6E:16:D5:20:D9:9A:7F:94:11:E6:98:43:B1:46:32:5B:
>
> 00:A7:BD:E0:02:21:00:CC:CE:4A:84:47:8C:82:94:19:
>
> 57:51:1A:61:99:F7:CE:56:6F:6C:24:C7:99:B5:BE:64:
> 32:29:F2:0F:24:99:D5
> Signed Certificate Timestamp:
> Version : v1 (0x0)
> Log ID :
> 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
>
> 37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
> Timestamp : Jan 18 18:21:23.746 2019 GMT
> Extensions: none
> Signature : ecdsa-with-SHA256
>
> 30:44:02:20:20:F6:ED:97:0B:DC:D5:50:A2:69:E9:0B:
>
> 75:44:E7:40:5D:4A:5A:22:BC:66:4F:7F:9E:42:9A:13:
>
> 9D:22:97:D3:02:20:0D:13:67:E6:6A:67:C0:32:47:0F:
>
> AE:58:1C:36:AD:56:68:1F:11:61:C2:77:DF:B3:2F:22:
> AE:A8:E1:89:CB:80
> Signature Algorithm: sha256WithRSAEncryption
> 7f:56:74:a1:14:2d:a0:61:e3:ee:c2:2b:d6:4e:85:a5:30:3d:
> b5:15:34:f9:9d:b0:82:ce:27:ca:ad:8a:e9:27:f6:46:86:9d:
> 64:2b:ff:58:a9:07:6f:85:46:ac:a1:56:02:61:69:e1:7b:9c:
> 50:92:71:95:4c:b4:3d:59:14:6d:01:7d:72:c7:78:18:c0:98:
> b8:3c:b3:48:2c:92:6c:04:cf:14:fc:04:63:61:d6:ff:22:7d:
> 17:88:aa:3e:32:48:57:a0:09:1c:f9:86:15:04:7b:43:8a:54:
> e5:dd:ec:5e:a4:61:cd:50:7c:12:3f:1f:42:8a:04:81:7b:9a:
> 2c:3e:bc:52:62:91:f0:f5:24:4a:4e:de:29:9b:f7:2f:c9:c2:
> c4:d7:e7:3b:19:cf:8c:83:2a:9b:d7:05:ac:7e:9c:77:c9:16:
> ae:9a:fd:04:bd:d3:d4:88:f4:48:64:04:9b:a3:4f:e1:73:f2:
> 82:21:c8:48:53:64:d4:72:bb:1e:1c:37:f1:92:ae:40:7a:07:
> 9f:a8:8c:18:32:34:1a:89:c9:5b:d4:ff:5d:2c:5d:d9:8b:9f:
> 82:86:e0:4c:33:d1:fc:e1:ef:0a:58:a5:0d:b2:dd:39:b1:b3:
> e6:e7:28:fe:57:7f:e7:88:84:97:9f:d9:a9:98:78:17:d0:a1:
> e2:bd:09:38
So, it's valid until next year sometimes.
Next, let's take a look at inter1.pem
>
> $ openssl x509 -in inter1.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
> Signature Algorithm: sha384WithRSAEncryption
> Issuer: C = US, ST = New Jersey, L = Jersey City, O = The
> USERTRUST Network, CN = USERTrust RSA Certification Authority
> Validity
> Not Before: Nov 2 00:00:00 2018 GMT
> Not After : Dec 31 23:59:59 2030 GMT
> Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
> Limited, CN = Sectigo RSA Domain Validation Secure Server CA
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:d6:73:33:d6:d7:3c:20:d0:00:d2:17:45:b8:d6:
> 3e:07:a2:3f:c7:41:ee:32:30:c9:b0:6c:fd:f4:9f:
> cb:12:98:0f:2d:3f:8d:4d:01:0c:82:0f:17:7f:62:
> 2e:e9:b8:48:79:fb:16:83:4e:ad:d7:32:25:93:b7:
> 07:bf:b9:50:3f:a9:4c:c3:40:2a:e9:39:ff:d9:81:
> ca:1f:16:32:41:da:80:26:b9:23:7a:87:20:1e:e3:
> ff:20:9a:3c:95:44:6f:87:75:06:90:40:b4:32:93:
> 16:09:10:08:23:3e:d2:dd:87:0f:6f:5d:51:14:6a:
> 0a:69:c5:4f:01:72:69:cf:d3:93:4c:6d:04:a0:a3:
> 1b:82:7e:b1:9a:b9:ed:c5:9e:c5:37:78:9f:9a:08:
> 34:fb:56:2e:58:c4:09:0e:06:64:5b:bc:37:dc:f1:
> 9f:28:68:a8:56:b0:92:a3:5c:9f:bb:88:98:08:1b:
> 24:1d:ab:30:85:ae:af:b0:2e:9e:7a:9d:c1:c0:42:
> 1c:e2:02:f0:ea:e0:4a:d2:ef:90:0e:b4:c1:40:16:
> f0:6f:85:42:4a:64:f7:a4:30:a0:fe:bf:2e:a3:27:
> 5a:8e:8b:58:b8:ad:c3:19:17:84:63:ed:6f:56:fd:
> 83:cb:60:34:c4:74:be:e6:9d:db:e1:e4:e5:ca:0c:
> 5f:15
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
> X509v3 Subject Key Identifier:
> 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
> X509v3 Key Usage: critical
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE, pathlen:0
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 Certificate Policies:
> Policy: X509v3 Any Policy
> Policy: 2.23.140.1.2.1
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:
> http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
> Authority Information Access:
> CA Issuers - URI:
> http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
> OCSP - URI:http://ocsp.usertrust.com
> Signature Algorithm: sha384WithRSAEncryption
> 32:bf:61:bd:0e:48:c3:4f:c7:ba:47:4d:f8:9c:78:19:01:dc:
> 13:1d:80:6f:fc:c3:70:b4:52:9a:31:33:9a:57:52:fb:31:9e:
> 6b:a4:ef:54:aa:89:8d:40:17:68:f8:11:10:7c:d2:ca:b1:f1:
> 55:86:c7:ee:b3:36:91:86:f6:39:51:bf:46:bf:0f:a0:ba:b4:
> f7:7e:49:c4:2a:36:17:9e:e4:68:39:7a:af:94:4e:56:6f:b2:
> 7b:3b:bf:0a:86:bd:cd:c5:77:1c:03:b8:38:b1:a2:1f:5f:7e:
> db:8a:dc:46:48:b6:68:0a:cf:b2:b5:b4:e2:34:e4:67:a9:38:
> 66:09:5e:d2:b8:fc:9d:28:3a:17:40:27:c2:72:4e:29:fd:21:
> 3c:7c:cf:13:fb:96:2c:c5:31:44:fd:13:ed:d5:9b:a9:69:68:
> 77:7c:ee:e1:ff:a4:f9:36:38:08:53:39:a2:84:34:9c:19:f3:
> be:0e:ac:d5:24:37:eb:23:a8:78:d0:d3:e7:ef:92:47:64:62:
> 39:22:ef:c6:f7:11:be:22:85:c6:66:44:24:26:8e:10:32:8d:
> c8:93:ae:07:9e:83:3e:2f:d9:f9:f5:46:8e:63:be:c1:e6:b4:
> dc:a6:cd:21:a8:86:0a:95:d9:2e:85:26:1a:fd:fc:b1:b6:57:
> 42:6d:95:d1:33:f6:39:14:06:82:41:38:f5:8f:58:dc:80:5b:
> a4:d5:7d:95:78:fd:a7:9b:ff:fd:c5:a8:69:ab:26:e7:a7:a4:
> 05:87:5b:a9:b7:b8:a3:20:0b:97:a9:45:85:dd:b3:8b:e5:89:
> 37:8e:29:0d:fc:06:17:f6:38:40:0e:42:e4:12:06:fb:7b:f3:
> c6:11:68:62:df:e3:98:f4:13:d8:15:4f:8b:b1:69:d9:10:60:
> bc:64:2a:ea:31:b7:e4:b5:a3:3a:14:9b:26:e3:0b:7b:fd:02:
> 8e:b6:99:c1:38:97:59:36:f6:a8:74:a2:86:b6:5e:eb:c6:64:
> ea:cf:a0:a3:f9:6e:9e:ba:2d:11:b6:86:98:08:58:2d:c9:ac:
> 25:64:f2:5e:75:b4:38:c1:ae:7f:5a:46:83:ea:51:ca:b6:f1:
> 99:11:35:6b:a5:6a:7b:c6:00:b0:e7:f8:be:64:b2:ad:c8:c2:
> f1:ac:e3:51:ea:a4:93:e0:79:c8:e1:81:40:c9:0a:5b:e1:12:
> 3c:c1:60:2a:e3:97:c0:89:42:ca:94:cf:46:98:12:69:bb:98:
> d0:c2:d3:0d:72:4b:47:6e:e5:93:c4:32:28:63:87:43:e4:b0:
> 32:3e:0a:d3:4b:bf:23:9b:14:29:41:2b:9a:04:1f:93:2d:f1:
> c7:39:48:3c:ad:5a:12:7f
Also valid until 2021.
On to inter2.pem
$ openssl x509 -in inter2.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
> Signature Algorithm: sha384WithRSAEncryption
> Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP
> Network, CN = AddTrust External CA Root
> Validity
> Not Before: May 30 10:48:38 2000 GMT
> Not After : May 30 10:48:38 2020 GMT
> Subject: C = US, ST = New Jersey, L = Jersey City, O = The
> USERTRUST Network, CN = USERTrust RSA Certification Authority
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (4096 bit)
> Modulus:
> 00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
> 76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
> 2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
> f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
> 19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:
> 2b:91:f8:e2:6f:d0:ec:16:20:90:09:3e:e2:e8:74:
> c9:18:b4:91:d4:62:64:db:7f:a3:06:f1:88:18:6a:
> 90:22:3c:bc:fe:13:f0:87:14:7b:f6:e4:1f:8e:d4:
> e4:51:c6:11:67:46:08:51:cb:86:14:54:3f:bc:33:
> fe:7e:6c:9c:ff:16:9d:18:bd:51:8e:35:a6:a7:66:
> c8:72:67:db:21:66:b1:d4:9b:78:03:c0:50:3a:e8:
> cc:f0:dc:bc:9e:4c:fe:af:05:96:35:1f:57:5a:b7:
> ff:ce:f9:3d:b7:2c:b6:f6:54:dd:c8:e7:12:3a:4d:
> ae:4c:8a:b7:5c:9a:b4:b7:20:3d:ca:7f:22:34:ae:
> 7e:3b:68:66:01:44:e7:01:4e:46:53:9b:33:60:f7:
> 94:be:53:37:90:73:43:f3:32:c3:53:ef:db:aa:fe:
> 74:4e:69:c7:6b:8c:60:93:de:c4:c7:0c:df:e1:32:
> ae:cc:93:3b:51:78:95:67:8b:ee:3d:56:fe:0c:d0:
> 69:0f:1b:0f:f3:25:26:6b:33:6d:f7:6e:47:fa:73:
> 43:e5:7e:0e:a5:66:b1:29:7c:32:84:63:55:89:c4:
> 0d:c1:93:54:30:19:13:ac:d3:7d:37:a7:eb:5d:3a:
> 6c:35:5c:db:41:d7:12:da:a9:49:0b:df:d8:80:8a:
> 09:93:62:8e:b5:66:cf:25:88:cd:84:b8:b1:3f:a4:
> 39:0f:d9:02:9e:eb:12:4c:95:7c:f3:6b:05:a9:5e:
> 16:83:cc:b8:67:e2:e8:13:9d:cc:5b:82:d3:4c:b3:
> ed:5b:ff:de:e5:73:ac:23:3b:2d:00:bf:35:55:74:
> 09:49:d8:49:58:1a:7f:92:36:e6:51:92:0e:f3:26:
> 7d:1c:4d:17:bc:c9:ec:43:26:d0:bf:41:5f:40:a9:
> 44:44:f4:99:e7:57:87:9e:50:1f:57:54:a8:3e:fd:
> 74:63:2f:b1:50:65:09:e6:58:42:2e:43:1a:4c:b4:
> f0:25:47:59:fa:04:1e:93:d4:26:46:4a:50:81:b2:
> de:be:78:b7:fc:67:15:e1:c9:57:84:1e:0f:63:d6:
> e9:62:ba:d6:5f:55:2e:ea:5c:c6:28:08:04:25:39:
> b8:0e:2b:a9:f2:4c:97:1c:07:3f:0d:52:f5:ed:ef:
> 2f:82:0f
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
> X509v3 Subject Key Identifier:
> 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
> X509v3 Key Usage: critical
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Certificate Policies:
> Policy: X509v3 Any Policy
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl
> Authority Information Access:
> OCSP - URI:http://ocsp.usertrust.com
> Signature Algorithm: sha384WithRSAEncryption
> 93:65:f6:37:83:95:0f:5e:c3:82:1c:1f:d6:77:e7:3c:8a:c0:
> aa:09:f0:e9:0b:26:f1:e0:c2:6a:75:a1:c7:79:c9:b9:52:60:
> c8:29:12:0e:f0:ad:03:d6:09:c4:76:df:e5:a6:81:95:a7:46:
> da:82:57:a9:95:92:c5:b6:8f:03:22:6c:33:77:c1:7b:32:17:
> 6e:07:ce:5a:14:41:3a:05:24:1b:f6:14:06:3b:a8:25:24:0e:
> bb:cc:2a:75:dd:b9:70:41:3f:7c:d0:63:36:21:07:1f:46:ff:
> 60:a4:91:e1:67:bc:de:1f:7e:19:14:c9:63:67:91:ea:67:07:
> 6b:b4:8f:8b:c0:6e:43:7d:c3:a1:80:6c:b2:1e:bc:53:85:7d:
> dc:90:a1:a4:bc:2d:ef:46:72:57:35:05:bf:bb:46:bb:6e:6d:
> 37:99:b6:ff:23:92:91:c6:6e:40:f8:8f:29:56:ea:5f:d5:5f:
> 14:53:ac:f0:4f:61:ea:f7:22:cc:a7:56:0b:e2:b8:34:1f:26:
> d9:7b:19:05:68:3f:ba:3c:d4:38:06:a2:d3:e6:8f:0e:e3:b4:
> 71:6d:40:42:c5:84:b4:40:95:2b:f4:65:a0:48:79:f6:1d:81:
> 63:96:9d:4f:75:e0:f8:7c:e4:8e:a9:d1:f2:ad:8a:b3:8c:c7:
> 21:cd:c2:ef
>
And here we have an expired cert, " Not After : May 30 10:48:38 2020 GMT".
At this point, we can stop looking for the rootCA, because we know the
problem.
This is an issue with how the TLS endpoint for their SMTP server is
configured.
If I had to guess, either they forgot to update the cert for the SMTP
server, or they updated the cert but haven't restarted the service yet.
Since I went digging at port 443, it led me to a complete different cert.
-David
On Thu, Jun 18, 2020 at 5:15 PM Jed S. Baer <blug at jbaer.cotse.net> wrote:
> On Thu, 18 Jun 2020 17:03:24 -0600
> Bear Giles wrote:
>
> > Replacing an intermediate cert with an unexpired one won't help since it
> > will break the chain. The cert will have to be re-issued with new certs
> > all the way from the replaced cert to the leaf.
>
> I can't connect that dot, since my understanding of what David wrote is
> that it's only the root CA certs that are operative in my local store.
>
> (But, I think that explains why sslchecker.com shows 4 certs, but in my
> SMTP capture, there are only 3.)
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200618/bc1216db/attachment-0001.html>
More information about the LUG
mailing list