[Openid-specs-ab] Certification of your relying party software

Hans Zandbelt hans.zandbelt at zmartzone.eu
Wed Jun 14 21:49:36 UTC 2017


Hi Bas,

The dedicated list for OIDC certification discussions is
certification at oidf.org (cc).

I get the expected output at [1] which has different cert than your output
shows. I'm not sure how to explain that.
Can you verify your command again?

Regards,

Hans.

[1]
openssl s_client -connect rp.certification.openid.net:8080
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Symantec
Corporation, OU = Cloud Platform Engineering, CN =
rp.certification.openid.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Cloud
Platform Engineering/CN=rp.certification.openid.net
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>


On Thu, Jan 26, 2017 at 9:12 AM, Bas Wegh (SCC) via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Mike, all,
>
> Thanks a lot for the effort put into the rp conformance tests!
> Is there a dedicated mailing list? sorry for sending here if there is one.
>
> I am in the progress of getting the Erlang openid connect client library
> ready for conformance testing.
>
> Yet I have the Issue that the TLS handshake fails for me as the
> intermediate
> CA from symantec is not send down the line.
>
> Could this somehow be fixed? Thanks a lot
> It worked about a week ago (before getting a lot of http 500).
>
> openssl tells me:
> "Verification error: unable to verify the first certificate"
>
>
> Kind regards,
> Bas Wegh
>
> -------- output of openssl ----------------
> $ openssl s_client -connect rp.certification.openid.net:8080
>
> CONNECTED(00000003)
> depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory =
> Private Organization, serialNumber = 2158113, C = US, postalCode = 94043,
> ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec
> Corporation, OU = Cloud Platform Engineering, CN =
> rp.certification.openid.net
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory =
> Private Organization, serialNumber = 2158113, C = US, postalCode = 94043,
> ST = California, L = Mountain View, street = 350 Ellis Street, O = Symantec
> Corporation, OU = Cloud Platform Engineering, CN =
> rp.certification.openid.net
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private
> Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain
> View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform
> Engineering/CN=rp.certification.openid.net
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 EV SSL CA - G3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIHLDCCBhSgAwIBAgIQA0z0JAQY0ZVU9K+RCzonxzANBgkqhkiG9w0BAQsFADB3
> MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
> BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
> IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMjE3MDAwMDAwWhcNMTcwMjE3
> MjM1OTU5WjCCATAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
> AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
> VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV
> BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM
> EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u
> MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm9ybSBFbmdpbmVlcmluZzEkMCIGA1UEAwwb
> cnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC
> AQ8AMIIBCgKCAQEAyEItnfLWLjdC09LOx/QHJMjOVeBe2rUut+muY72ga6JZrdo2
> XEPY+H5YSAelC3ntbQr3wXhxEVTblXxqa8MYdh5W5ZcSaKe3nGgJFhGaLhwLJh9L
> cjiUDcyL1ZSKPMtJfwI2HkU5f8Y8ALK1jgRTNeIvqHGokvesT4YCgOzP9j6i3CBX
> piQXBnqY4irr3Wh1Yc8Tf6zHI00qn0nADhjr1Sso1kQ87OYDru0d/tT1JyYCImGd
> mhjWHTg2Sy1KhmlwRwwHKaJajFBbJgfAJ3bPfslH1OHWCJv77ZcDy+VutSZl8QKJ
> iv1PdWwTTMMExrgHsZ2QwqrOppbmr/+iXDdNlwIDAQABo4IC9zCCAvMwJgYDVR0R
> BB8wHYIbcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MAkGA1UdEwQCMAAwDgYD
> VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBmBgNV
> HSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z
> eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20v
> cnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fVkedqMCsGA1UdHwQkMCIw
> IKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3JsMFcGCCsGAQUFBwEBBEsw
> STAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYa
> aHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggF+BgorBgEEAdZ5AgQCBIIBbgSC
> AWoBaAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABS5mVpPkA
> AAQDAEcwRQIgbJl/YQf+9MsJOAmlHnnpmBWTRVGN/z+DMWsxOKla1lYCIQDLTxho
> 0Q3yp60+ALRaW1VxWmQWt8iSlwDDBNfl/fMPsgB2AFYUBpov18Ls0/XhvUSyPsdG
> drm8mRFcwO+UmFXWidDdAAABS5mVpu0AAAQDAEcwRQIhANOLCs6pm5SsPSNTq/7K
> ytjnk2fnOUti4dYquK90tkrbAiAKc5X74vjZv2nMBEphROspj8EyXO5v6EQEebQi
> 2JPBHQB2AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE0QpnrLtPT/vEAAABS5mVpRUA
> AAQDAEcwRQIhAOvSwmJgCVww5EoxA6hFgrL/PQ5yNV3WGJVqASQqThz1AiAkyN7b
> YsphqUb9QxGyXLGkM5Gb9BRHhBuJScypZ5Y9gjANBgkqhkiG9w0BAQsFAAOCAQEA
> gT37Us7QAzEpMeo9nzauySRKS2oyXgAD9MpmGUdLJVAmMze0LkNEVFjJLpQYwpgi
> +1tWLz2jbXP5x+uIf2sqQauuIxeho67VO4l7CeHShY7iq2jryNzVeWZz6KC9yw6s
> n9lkHHGYcR2YLrEA3PtHmQ0xgx64QOB4JqribW6UShmAtgCLVXCOygFix2TBsGNS
> h5mNQ3uVzLOQ6yaw3lTFpGgmaAaALlPJ2pmTxnbGKm2fz6EX83PgRSOVT6YZpuIB
> Mcj6bQBwW1og+Lq0pqBAnRndAmURjoDXVfb7Bjdwjv257kMNk8h8KdTkuKZtllvu
> VwjMOkQyANfg8sgzzsHCkA==
> -----END CERTIFICATE-----
> subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private
> Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain
> View/street=350 Ellis Street/O=Symantec Corporation/OU=Cloud Platform
> Engineering/CN=rp.certification.openid.net
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 EV SSL CA - G3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2494 bytes and written 302 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
>
>
>
> On 01/07/17 00:47, Mike Jones via Openid-specs-ab wrote:
> > You’ve probably followed the fact that the OpenID Foundation has
> launched the
> > RP Certification program.  If you’re the author of an OpenID Connect
> relying
> > party library, it would be great if you could certify your RP software
> as part
> > of “testing the tests”.  This would also enable you to be part of the
> launch
> > press release next month during the RSA Conference (February 13^th).  You
> > should plan complete your certification by February 6^th to be included
> in the
> > press release.
> >
> >
> >
> > RP Certification is free and available to OpenID Foundation members
> during the
> > pilot phase.  After the pilot ends – probably on February 13^th, the
> usual fees
> > will apply.  If you’re not a member, you or your organization can join at
> > https://openid.net/foundation/members/registration.
> >
> >
> >
> > See the instructions at http://openid.net/certification/rp_testing/ and
> http://
> > openid.net/certification/rp_submission/.  Let Roland and I know if you
> have any
> > questions.
> >
> >
> >
> >                                                        Best wishes,
> >
> >                                                        -- Mike
> >
> >
> >
>
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170614/597a895d/attachment.html>


More information about the Openid-specs-ab mailing list