[Openid-specs-ab] Certification of your relying party software

Bas Wegh (SCC) bas.wegh at kit.edu
Thu Jan 26 08:12:22 UTC 2017


Hi Mike, all,

Thanks a lot for the effort put into the rp conformance tests!
Is there a dedicated mailing list? sorry for sending here if there is one.

I am in the progress of getting the Erlang openid connect client library 
ready for conformance testing.

Yet I have the Issue that the TLS handshake fails for me as the intermediate 
CA from symantec is not send down the line.

Could this somehow be fixed? Thanks a lot
It worked about a week ago (before getting a lot of http 500).

openssl tells me:
"Verification error: unable to verify the first certificate"


Kind regards,
Bas Wegh

-------- output of openssl ----------------
$ openssl s_client -connect rp.certification.openid.net:8080

CONNECTED(00000003)
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = rp.certification.openid.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = rp.certification.openid.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=rp.certification.openid.net
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHLDCCBhSgAwIBAgIQA0z0JAQY0ZVU9K+RCzonxzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMjE3MDAwMDAwWhcNMTcwMjE3
MjM1OTU5WjCCATAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u
MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm9ybSBFbmdpbmVlcmluZzEkMCIGA1UEAwwb
cnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAyEItnfLWLjdC09LOx/QHJMjOVeBe2rUut+muY72ga6JZrdo2
XEPY+H5YSAelC3ntbQr3wXhxEVTblXxqa8MYdh5W5ZcSaKe3nGgJFhGaLhwLJh9L
cjiUDcyL1ZSKPMtJfwI2HkU5f8Y8ALK1jgRTNeIvqHGokvesT4YCgOzP9j6i3CBX
piQXBnqY4irr3Wh1Yc8Tf6zHI00qn0nADhjr1Sso1kQ87OYDru0d/tT1JyYCImGd
mhjWHTg2Sy1KhmlwRwwHKaJajFBbJgfAJ3bPfslH1OHWCJv77ZcDy+VutSZl8QKJ
iv1PdWwTTMMExrgHsZ2QwqrOppbmr/+iXDdNlwIDAQABo4IC9zCCAvMwJgYDVR0R
BB8wHYIbcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MAkGA1UdEwQCMAAwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBmBgNV
HSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z
eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20v
cnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fVkedqMCsGA1UdHwQkMCIw
IKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3JsMFcGCCsGAQUFBwEBBEsw
STAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYa
aHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggF+BgorBgEEAdZ5AgQCBIIBbgSC
AWoBaAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABS5mVpPkA
AAQDAEcwRQIgbJl/YQf+9MsJOAmlHnnpmBWTRVGN/z+DMWsxOKla1lYCIQDLTxho
0Q3yp60+ALRaW1VxWmQWt8iSlwDDBNfl/fMPsgB2AFYUBpov18Ls0/XhvUSyPsdG
drm8mRFcwO+UmFXWidDdAAABS5mVpu0AAAQDAEcwRQIhANOLCs6pm5SsPSNTq/7K
ytjnk2fnOUti4dYquK90tkrbAiAKc5X74vjZv2nMBEphROspj8EyXO5v6EQEebQi
2JPBHQB2AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE0QpnrLtPT/vEAAABS5mVpRUA
AAQDAEcwRQIhAOvSwmJgCVww5EoxA6hFgrL/PQ5yNV3WGJVqASQqThz1AiAkyN7b
YsphqUb9QxGyXLGkM5Gb9BRHhBuJScypZ5Y9gjANBgkqhkiG9w0BAQsFAAOCAQEA
gT37Us7QAzEpMeo9nzauySRKS2oyXgAD9MpmGUdLJVAmMze0LkNEVFjJLpQYwpgi
+1tWLz2jbXP5x+uIf2sqQauuIxeho67VO4l7CeHShY7iq2jryNzVeWZz6KC9yw6s
n9lkHHGYcR2YLrEA3PtHmQ0xgx64QOB4JqribW6UShmAtgCLVXCOygFix2TBsGNS
h5mNQ3uVzLOQ6yaw3lTFpGgmaAaALlPJ2pmTxnbGKm2fz6EX83PgRSOVT6YZpuIB
Mcj6bQBwW1og+Lq0pqBAnRndAmURjoDXVfb7Bjdwjv257kMNk8h8KdTkuKZtllvu
VwjMOkQyANfg8sgzzsHCkA==
-----END CERTIFICATE-----
subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=rp.certification.openid.net
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2494 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated



On 01/07/17 00:47, Mike Jones via Openid-specs-ab wrote:
> You’ve probably followed the fact that the OpenID Foundation has launched the
> RP Certification program.  If you’re the author of an OpenID Connect relying
> party library, it would be great if you could certify your RP software as part
> of “testing the tests”.  This would also enable you to be part of the launch
> press release next month during the RSA Conference (February 13^th).  You
> should plan complete your certification by February 6^th to be included in the
> press release.
> 
>  
> 
> RP Certification is free and available to OpenID Foundation members during the
> pilot phase.  After the pilot ends – probably on February 13^th, the usual fees
> will apply.  If you’re not a member, you or your organization can join at
> https://openid.net/foundation/members/registration.
> 
>  
> 
> See the instructions at http://openid.net/certification/rp_testing/ and http://
> openid.net/certification/rp_submission/.  Let Roland and I know if you have any
> questions.
> 
>  
> 
>                                                        Best wishes,
> 
>                                                        -- Mike
> 
>  
> 

> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list