[Openid-specs-ab] Issue #100: OP test server not including intermediate certificate. (openid/certification)

John Bradley issues-reply at bitbucket.org
Tue Mar 17 15:59:00 UTC 2015


New issue 100: OP test server not including intermediate certificate.
https://bitbucket.org/openid/certification/issue/100/op-test-server-not-including-intermediate

John Bradley:

The server is not including the intermediate EV certificate authority from Symantec.

Most browsers have the intermediate cert but Java and other libs don't seem to and need to be manually confuigured.


The server returns:
openssl s_client -showcerts -connect op.certification.openid.net:60054
CONNECTED(00000003)
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = op.certification.openid.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN = op.certification.openid.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=op.certification.openid.net
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
-----BEGIN CERTIFICATE-----
MIIHKjCCBhKgAwIBAgIQDRyJD75wYaMnuXDaL8O5CjANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMjE3MDAwMDAwWhcNMTcwMjE3
MjM1OTU5WjCCATAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u
MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm9ybSBFbmdpbmVlcmluZzEkMCIGA1UEAwwb
b3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy18YtrcaXsiPUjBvA5YmdIysHXoYJc++06Eg3MTlwW1tRBh9
axi5XHWmBFm1g5AWXkcf3vFweGXqcKOeZ0UPNVxDU0Wsn7TScaVcxRk2gdLkoVX9
R9wPY3KNEaHsTx7rMOrIrdbeMuHPgMrSp2ovLWeJq5mARdyxjeTjp73VJPoDQADF
qO74cmoL/EyUqy/MYmDIgGG7SAl8i2QOPP0NQmZJpAmghG8aL1WDUac5T8qkAlj7
AUkOPW3gSdWkgf1XjXLPqzvjBCv7E+WiubTSYwxSWKSV+xIUrJskTt9MpHSpfA5i
tn6ySTtSKEFcYffzqL0gmr+CZXxjf6I4RNlnfQIDAQABo4IC9TCCAvEwJgYDVR0R
BB8wHYIbb3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MAkGA1UdEwQCMAAwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBmBgNV
HSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z
eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20v
cnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fVkedqMCsGA1UdHwQkMCIw
IKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3JsMFcGCCsGAQUFBwEBBEsw
STAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYa
aHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggF8BgorBgEEAdZ5AgQCBIIBbASC
AWgBZgB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABS5mVPBQA
AAQDAEYwRAIgEWZrnpfk5KxkNOS2fAJhejH7FNruS7AY17KxeBM+FjACIGoT8y58
cEzct7HRIkGqPjRvTe1WcMoB2luFC8+wQoW1AHUAVhQGmi/XwuzT9eG9RLI+x0Z2
ubyZEVzA75SYVdaJ0N0AAAFLmZU+JAAABAMARjBEAiA+wsXCQI7RcfLTuLD9PfqM
oJxL46fdGtqHFETTmwgopwIgWWlV/j9DRXnpzZFERVrnhICUzaie7SpfPcJUs48u
QzUAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUuZlTwIAAAE
AwBHMEUCIQCOjiOcSMRuCtHwsQIHGyynPhmceRZU6TtAb587tO7JZwIgSUJ8PGM8
XQ/CEIiSGuLwG/SdiyEBKgqO69iylnty8rQwDQYJKoZIhvcNAQELBQADggEBAJcQ
0bVMn5JBaUzxknIj8K5pAbetQZaF8dvjnylZrcytfrDB/RBYPhUC3mpS1YB47Oqf
F9oBjSA+fqWlgF/qKBEDF3bz7cAsGKQmrICnZzXGncyH6IXXbkDnXT+nDwYPln1V
HNvBrs7ImTFpvcpFdksNKFfM/fh+DfChWU4+817AMdSWf4RO/gfEAv7FAd3qV4fR
3U1vDvDp4bJB4gCSKjXCecQfJI5iAVSU/SgggjMXybCLXvxcRpQ0U6uBq3vHjao1
t1fK0yP5f4wdxaC2nDn+d6Q1RoXstorgTF8ysVLTnE2iKjoWzjlf4M/AO/ckcmW8
0DKvHlqA2G04svnXScY=
-----END CERTIFICATE-----
---
Server certificate
subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform Engineering/CN=op.certification.openid.net
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2151 bytes and written 680 bytes
---

Responsible: Rohe


More information about the Openid-specs-ab mailing list