leap_cli: test certificate chain/intermediaries
As discussed, it would be good if we could have as one of the tests something to verify that the certificate chain is setup properly. Here is the output of a failed certificate: gnutls-cli --x509cafile=/etc/ssl/certs/ca-certificates.crt id.iskra.net Processed 160 CA certificate(s). Resolving 'id.iskra.net'... Connecting to '209.59.207.131:443'... - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - The hostname in the certificate matches 'id.iskra.net'. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Gandi Standard Wildcard SSL,CN=*.iskra.net', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-06-01 00:00:00 UTC', expires `2013-06-01 23:59:59 UTC', SHA-1 fingerprint `ff02fcf95d3be210e8eb509f623ee1e651807eb8' Public Key Id: f7e3942c0863b520fc3222782f4570dfcc779faf Public key's random art: +--[ RSA 2048]----+ | . . | | + . + | | + o = . . | |. . o o o . . . | |o o + = S . o | | o + + o o o . . | | . . . . * .| | . + . . | | . E | +-----------------+ *** Handshake has failed GnuTLS error: Error in the certificate. micah@minnow:~/leap/web/config$ echo $? 1 here is what openssl does (note it doesn't set a proper result code): $ openssl s_client -CApath /etc/ssl/certs/ca-certificates.crt -showcerts -connect id.iskra.net:443 CONNECTED(00000003) depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.iskra.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.iskra.net verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.iskra.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.iskra.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA -----BEGIN CERTIFICATE----- MIIE0jCCA7qgAwIBAgIQZkbsEZA+qrtffm2duRZYUzANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTIwNjAxMDAwMDAwWhcNMTMwNjAxMjM1OTU5 WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEUMBIGA1UEAxQLKi5pc2tyYS5u ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEGB+1c6rqaEP6YBwq hY77mzWME0qDirrdv0k7DHFvQy289l3ngoI6Wjt6rPpDjVaQ0lTfogt8Vgknxb/l jw2Fr0OrBEQsA+/WYXiSpYz8FQkp9XMMTcN0oa4onvu2El3Xk2HZYPM2jC/Y8vdp tcXKY0/UyVtOytZTnmm9lta4FQtu84SJavbtBGI+KTAm7ErAfSAV2adxOxKB2xP4 p9Vv+aSmOIZNuxCMPaJ0W6T41Sd34mNx+PtjS9Oze5y911SRLXm+jmx5xghd01vt b4xYMA3IrK25oHc8wLN5zBeLbA1mIlhpd9HbGIvHNjJtSl7Afkn1PlefK7FF4/i2 e0pfAgMBAAGjggGmMIIBojAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5 ITAdBgNVHQ4EFgQU+c+c4mcJMDowwOl+Aezp2PUQDhMwDgYDVR0PAQH/BAQDAgWg MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFYG A1UdIARPME0wSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3 dy5nYW5kaS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0Eu Y3JsMGoGCCsGAQUFBwEBBF4wXDA3BggrBgEFBQcwAoYraHR0cDovL2NydC5nYW5k aS5uZXQvR2FuZGlTdGFuZGFyZFNTTENBLmNydDAhBggrBgEFBQcwAYYVaHR0cDov L29jc3AuZ2FuZGkubmV0MCEGA1UdEQQaMBiCCyouaXNrcmEubmV0gglpc2tyYS5u ZXQwDQYJKoZIhvcNAQEFBQADggEBAJ/PmnJlxhCsiQvWR+KBs9KIwMA4l8ieCuZR z+brRrt03DBLgoE5eSrFcXkqOWSnaA1AVvgTj41gJlQ8f+16gGMN1mcYCW00Rfbn 863EXpU009imHERuFEFzg35hByq2IN2VBCR+Vorw1TqHp2VptjkWgMsPHePV4b11 WbTohA9AYJfWTFAFQwDuafi2BpcjE38nUd8uOO1GDWAz/tUkGb2r9jxm2iPKByqh reCVsTdJMCdiZ781NDqbmnFFUmiJ47rky2aUYO7BnEv6OiWg5+DQxsJhEyyGXHq5 XSUpSfRTObUM79w0hBB31bTsd3OXiiUQj3i1MHcysItnWcT1fsw= -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.iskra.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 1937 bytes and written 518 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: EE9D01B473587BB1574732CE555E1A529E69BC1B93CCA8DD2EFFAC37BDD0F4D8 Session-ID-ctx: Master-Key: E0A2AC9790871A39792E2881611FB1AAD765BB82E3358CF8E8F429A79A6BDBD0941B2EA94C250FFAA7897001E66FDC82 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Compression: 1 (zlib compression) Start Time: 1356022401 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE
(from redmine: created on 2012-12-20)