<div dir="ltr">Hi Bas,<div><br></div><div>The dedicated list for OIDC certification discussions is <a href="mailto:certification@oidf.org">certification@oidf.org</a> (cc).</div><div><br></div><div>I get the expected output at [1] which has different cert than your output shows. I'm not sure how to explain that.<br></div><div><div>Can you verify your command again?</div></div><div><br></div><div>Regards,</div><div><br></div><div>Hans.<br></div><div><br></div><div>[1]</div><div><div>openssl s_client -connect <a href="http://rp.certification.openid.net:8080">rp.certification.openid.net:8080</a></div><div>CONNECTED(00000003)</div><div>depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5</div><div>verify return:1</div><div>depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4</div><div>verify return:1</div><div>depth=0 C = US, ST = California, L = Mountain View, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = <a href="http://rp.certification.openid.net">rp.certification.openid.net</a></div><div>verify return:1</div><div>---</div><div>Certificate chain</div><div> 0 s:/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=<a href="http://rp.certification.openid.net">rp.certification.openid.net</a></div><div>   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4</div><div> 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4</div><div>   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5</div><div>---</div><div>Server certificate</div><div>-----BEGIN CERTIFICATE-----</div></div><div><snip></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 26, 2017 at 9:12 AM, Bas Wegh (SCC) via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Mike, all,<br>
<br>
Thanks a lot for the effort put into the rp conformance tests!<br>
Is there a dedicated mailing list? sorry for sending here if there is one.<br>
<br>
I am in the progress of getting the Erlang openid connect client library<br>
ready for conformance testing.<br>
<br>
Yet I have the Issue that the TLS handshake fails for me as the intermediate<br>
CA from symantec is not send down the line.<br>
<br>
Could this somehow be fixed? Thanks a lot<br>
It worked about a week ago (before getting a lot of http 500).<br>
<br>
openssl tells me:<br>
"Verification error: unable to verify the first certificate"<br>
<br>
<br>
Kind regards,<br>
Bas Wegh<br>
<br>
-------- output of openssl ----------------<br>
$ openssl s_client -connect <a href="http://rp.certification.openid.net:8080" rel="noreferrer" target="_blank">rp.certification.openid.net:<wbr>8080</a><br>
<br>
CONNECTED(00000003)<br>
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = <a href="http://rp.certification.openid.net" rel="noreferrer" target="_blank">rp.certification.openid.net</a><br>
verify error:num=20:unable to get local issuer certificate<br>
verify return:1<br>
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = <a href="http://rp.certification.openid.net" rel="noreferrer" target="_blank">rp.certification.openid.net</a><br>
verify error:num=21:unable to verify the first certificate<br>
verify return:1<br>
---<br>
Certificate chain<br>
 0 s:/jurisdictionC=US/<wbr>jurisdictionST=Delaware/<wbr>businessCategory=Private Organization/serialNumber=<wbr>2158113/C=US/postalCode=94043/<wbr>ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=<a href="http://rp.certification.openid.net" rel="noreferrer" target="_blank">rp.<wbr>certification.openid.net</a><br>
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIHLDCCBhSgAwIBAgIQA0z0JAQY0Z<wbr>VU9K+<wbr>RCzonxzANBgkqhkiG9w0BAQsFADB3<br>
MQswCQYDVQQGEwJVUzEdMBsGA1UECh<wbr>MUU3ltYW50ZWMgQ29ycG9yYXRpb24x<wbr>HzAd<br>
BgNVBAsTFlN5bWFudGVjIFRydXN0IE<wbr>5ldHdvcmsxKDAmBgNVBAMTH1N5bWFu<wbr>dGVj<br>
IENsYXNzIDMgRVYgU1NMIENBIC0gRz<wbr>MwHhcNMTUwMjE3MDAwMDAwWhcNMTcw<wbr>MjE3<br>
MjM1OTU5WjCCATAxEzARBgsrBgEEAY<wbr>I3PAIBAxMCVVMxGTAXBgsrBgEEAYI3<wbr>PAIB<br>
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFF<wbr>ByaXZhdGUgT3JnYW5pemF0aW9uMRAw<wbr>DgYD<br>
VQQFEwcyMTU4MTEzMQswCQYDVQQGEw<wbr>JVUzEOMAwGA1UEEQwFOTQwNDMxEzAR<wbr>BgNV<br>
BAgMCkNhbGlmb3JuaWExFjAUBgNVBA<wbr>cMDU1vdW50YWluIFZpZXcxGTAXBgNV<wbr>BAkM<br>
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBg<wbr>NVBAoMFFN5bWFudGVjIENvcnBvcmF0<wbr>aW9u<br>
MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm<wbr>9ybSBFbmdpbmVlcmluZzEkMCIGA1UE<wbr>Awwb<br>
cnAuY2VydGlmaWNhdGlvbi5vcGVuaW<wbr>QubmV0MIIBIjANBgkqhkiG9w0BAQEF<wbr>AAOC<br>
AQ8AMIIBCgKCAQEAyEItnfLWLjdC09<wbr>LOx/QHJMjOVeBe2rUut+<wbr>muY72ga6JZrdo2<br>
XEPY+<wbr>H5YSAelC3ntbQr3wXhxEVTblXxqa8M<wbr>Ydh5W5ZcSaKe3nGgJFhGaLhwLJh9L<br>
cjiUDcyL1ZSKPMtJfwI2HkU5f8Y8AL<wbr>K1jgRTNeIvqHGokvesT4YCgOzP9j6i<wbr>3CBX<br>
piQXBnqY4irr3Wh1Yc8Tf6zHI00qn0<wbr>nADhjr1Sso1kQ87OYDru0d/<wbr>tT1JyYCImGd<br>
mhjWHTg2Sy1KhmlwRwwHKaJajFBbJg<wbr>fAJ3bPfslH1OHWCJv77ZcDy+<wbr>VutSZl8QKJ<br>
iv1PdWwTTMMExrgHsZ2QwqrOppbmr/<wbr>+<wbr>iXDdNlwIDAQABo4IC9zCCAvMwJgYDV<wbr>R0R<br>
BB8wHYIbcnAuY2VydGlmaWNhdGlvbi<wbr>5vcGVuaWQubmV0MAkGA1UdEwQCMAAw<wbr>DgYD<br>
VR0PAQH/<wbr>BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQ<wbr>UFBwMBBggrBgEFBQcDAjBmBgNV<br>
HSAEXzBdMFsGC2CGSAGG+<wbr>EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h<wbr>0dHBzOi8vZC5z<br>
eW1jYi5jb20vY3BzMCUGCCsGAQUFBw<wbr>ICMBkaF2h0dHBzOi8vZC5zeW1jYi5j<wbr>b20v<br>
cnBhMB8GA1UdIwQYMBaAFAFZq+<wbr>fdOgtZpmRj1s8gB1fVkedqMCsGA1Ud<wbr>HwQkMCIw<br>
IKAeoByGGmh0dHA6Ly9zci5zeW1jYi<wbr>5jb20vc3IuY3JsMFcGCCsGAQUFBwEB<wbr>BEsw<br>
STAfBggrBgEFBQcwAYYTaHR0cDovL3<wbr>NyLnN5bWNkLmNvbTAmBggrBgEFBQcw<wbr>AoYa<br>
aHR0cDovL3NyLnN5bWNiLmNvbS9zci<wbr>5jcnQwggF+<wbr>BgorBgEEAdZ5AgQCBIIBbgSC<br>
AWoBaAB2AKS5CZC0GFgUh7sTosxncA<wbr>o8NZgE+<wbr>RvfuON3zQ7IDdwQAAABS5mVpPkA<br>
AAQDAEcwRQIgbJl/YQf+<wbr>9MsJOAmlHnnpmBWTRVGN/z+<wbr>DMWsxOKla1lYCIQDLTxho<br>
0Q3yp60+<wbr>ALRaW1VxWmQWt8iSlwDDBNfl/<wbr>fMPsgB2AFYUBpov18Ls0/<wbr>XhvUSyPsdG<br>
drm8mRFcwO+<wbr>UmFXWidDdAAABS5mVpu0AAAQDAEcwR<wbr>QIhANOLCs6pm5SsPSNTq/7K<br>
ytjnk2fnOUti4dYquK90tkrbAiAKc5<wbr>X74vjZv2nMBEphROspj8EyXO5v6EQE<wbr>ebQi<br>
2JPBHQB2AGj2mPgfZIK+<wbr>OozuuSgdTPxxUV1nk9RE0QpnrLtPT/<wbr>vEAAABS5mVpRUA<br>
AAQDAEcwRQIhAOvSwmJgCVww5EoxA6<wbr>hFgrL/<wbr>PQ5yNV3WGJVqASQqThz1AiAkyN7b<br>
YsphqUb9QxGyXLGkM5Gb9BRHhBuJSc<wbr>ypZ5Y9gjANBgkqhkiG9w0BAQsFAAOC<wbr>AQEA<br>
gT37Us7QAzEpMeo9nzauySRKS2oyXg<wbr>AD9MpmGUdLJVAmMze0LkNEVFjJLpQY<wbr>wpgi<br>
+1tWLz2jbXP5x+<wbr>uIf2sqQauuIxeho67VO4l7CeHShY7i<wbr>q2jryNzVeWZz6KC9yw6s<br>
n9lkHHGYcR2YLrEA3PtHmQ0xgx64QO<wbr>B4JqribW6UShmAtgCLVXCOygFix2TB<wbr>sGNS<br>
h5mNQ3uVzLOQ6yaw3lTFpGgmaAaALl<wbr>PJ2pmTxnbGKm2fz6EX83PgRSOVT6YZ<wbr>puIB<br>
Mcj6bQBwW1og+<wbr>Lq0pqBAnRndAmURjoDXVfb7Bjdwjv2<wbr>57kMNk8h8KdTkuKZtllvu<br>
VwjMOkQyANfg8sgzzsHCkA==<br>
-----END CERTIFICATE-----<br>
subject=/jurisdictionC=US/<wbr>jurisdictionST=Delaware/<wbr>businessCategory=Private Organization/serialNumber=<wbr>2158113/C=US/postalCode=94043/<wbr>ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=<a href="http://rp.certification.openid.net" rel="noreferrer" target="_blank">rp.<wbr>certification.openid.net</a><br>
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3<br>
---<br>
No client certificate CA names sent<br>
Peer signing digest: SHA512<br>
Server Temp Key: ECDH, P-256, 256 bits<br>
---<br>
SSL handshake has read 2494 bytes and written 302 bytes<br>
Verification error: unable to verify the first certificate<br>
---<br>
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
<br>
<br>
<br>
On 01/07/17 00:47, Mike Jones via Openid-specs-ab wrote:<br>
> You’ve probably followed the fact that the OpenID Foundation has launched the<br>
> RP Certification program.  If you’re the author of an OpenID Connect relying<br>
> party library, it would be great if you could certify your RP software as part<br>
> of “testing the tests”.  This would also enable you to be part of the launch<br>
> press release next month during the RSA Conference (February 13^th).  You<br>
> should plan complete your certification by February 6^th to be included in the<br>
> press release.<br>
><br>
><br>
><br>
> RP Certification is free and available to OpenID Foundation members during the<br>
> pilot phase.  After the pilot ends – probably on February 13^th, the usual fees<br>
> will apply.  If you’re not a member, you or your organization can join at<br>
> <a href="https://openid.net/foundation/members/registration" rel="noreferrer" target="_blank">https://openid.net/foundation/<wbr>members/registration</a>.<br>
><br>
><br>
><br>
> See the instructions at <a href="http://openid.net/certification/rp_testing/" rel="noreferrer" target="_blank">http://openid.net/<wbr>certification/rp_testing/</a> and http://<br>
> <a href="http://openid.net/certification/rp_submission/" rel="noreferrer" target="_blank">openid.net/certification/rp_<wbr>submission/</a>.  Let Roland and I know if you have any<br>
> questions.<br>
><br>
><br>
><br>
>                                                        Best wishes,<br>
><br>
>                                                        -- Mike<br>
><br>
><br>
><br>
<br>
> ______________________________<wbr>_________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div>
</div></div>