On Mon, Mar 25, 2024 at 12:26 PM Stanley Gilliam
<stanley.x.gill...@gsk.com> wrote:
>
> Here is the output:
>
> [I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform PEM
> -text -noout
> unable to load certificate
> 139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
>
>
> [I am root!@uptus060-1:private]# openssl s_client -connect hpc.gsk.com:443
> -servername hpc.gsk.com -showcerts
> CONNECTED(00000003)
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith
> Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith
> Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> -----BEGIN CERTIFICATE-----
> MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
> ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
> dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
> aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
> A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
> UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
> BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
> bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
> AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
> W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
> AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
> /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
> 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
> MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
> BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
> HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
> 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
> LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
> ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
> c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
> b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
> NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
> FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
> AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
> SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
> ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
> v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
> RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
> pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
> W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
> O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
> us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
> XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
> RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
> GzKWlw6feJiNivlqBH1QwP39
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2361 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA
> Session-ID-ctx:
> Master-Key:
> 4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f %.j.E...P..'....
> 0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a ^...............
> 0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1 .......tF.._....
> 0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13 .*...gr].....O..
> 0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a .7..8.......?.:Z
> 0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c ...^15.1c...Uxy,
> 0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51 ..Eqz9..BJG..Y"Q
> 0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af .#.n..5so5...G..
> 0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75 .q._.c.....#...u
> 0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19 ..F.Z{..U.......
> 00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64 ......<c....L..d
> 00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae ~.$....5.9.^..&.
> 00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75 H.....'.(......u
>
> Start Time: 1711383886
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> read:errno=0
The server is misconfigured. Level 0 is the end entity (web server)
certificate. But the web server is not sending the intermediate
certificate called 'GSK Issuing CA 1':
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
There should be a level 1, with a subject of
'/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1'. Something
like:
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
The server _can_ send 'GSK Root CA', but it is not required. The RFC
makes sending the root certificate optional. If the root CA is sent,
then it would look something like:
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
2 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
The client _must_ trust 'GSK Root CA'. This is your SVN client. That
is the next thing to check once the server configuration is fixed.
Jeff
