ARO Security
Randy Bush
randy at psg.com
Mon May 18 20:40:45 UTC 2015
i too get the amsl cert in response to an opelssl cert query with a
bog standard starfield class 2 chain
% openssl s_client -connect secretariat.nanog.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.amsl.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
2 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGRDCCBSygAwIBAgIJAInJ3xG7x0IgMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
with chrome, https://secretariat.nanog.org gets me a redirect to
the insecure http://www.nanog.org/ (note lack of 's') via the
tls-failing cert, see above
> let's take the conversation off of nanog to spare the list.
one of the purposes of this list is for us to learn from eachother. in
this case, techniques for diagnosing tls & cert issues are worth
sharing. [ sadly, folk with bugs love to redirect discussion off public
media ]
randy
More information about the NANOG
mailing list