Would it be OpenSSL.conf?

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Stanley Gilliam <stanley.x.gill...@gsk.com>
Sent: Monday, March 25, 2024 1:04:11 PM
To: noloa...@gmail.com <noloa...@gmail.com>
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org 
<users@subversion.apache.org>
Subject: RE: SVN does not trust cert

Hi Jeff,

If I am understanding correctly, we need to add something like:
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA

to which config file? Apologies I did not set up the server so I'm learning 
this as we go.


Stanley Gilliam
System Administrator
GSK
14200 Shady Grove Rd
Rockville, MD 20850
678-548-7768

-----Original Message-----
From: Jeffrey Walton <noloa...@gmail.com>
Sent: Monday, March 25, 2024 12:34 PM
To: Stanley Gilliam <stanley.x.gill...@gsk.com>
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org
Subject: Re: SVN does not trust cert

On Mon, Mar 25, 2024 at 12:26 PM Stanley Gilliam <stanley.x.gill...@gsk.com> 
wrote:
>
> Here is the output:
>
> [I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform
> PEM -text -noout unable to load certificate
> 139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
>
>
> [I am root!@uptus060-1:private]#  openssl s_client -connect
> hpc.gsk.com:443 -servername hpc.gsk.com -showcerts
> CONNECTED(00000003)
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=20:unable to get local issuer certificate verify
> return:1
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=21:unable to verify the first certificate verify
> return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
>    i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 -----BEGIN
> CERTIFICATE-----
> MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
> ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
> dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
> aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
> A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
> UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
> BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
> bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
> AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
> W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
> AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
> /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
> 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
> MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
> BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
> HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
> 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
> LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
> ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
> c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
> b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
> NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
> FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
> AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
> SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
> ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
> v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
> RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
> pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
> W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
> O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
> us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
> XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
> RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
> GzKWlw6feJiNivlqBH1QwP39
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_support
> @gsk.com issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2361 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public
> key is 2048 bit Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA
>     Session-ID-ctx:
>     Master-Key: 
> 4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     TLS session ticket lifetime hint: 7200 (seconds)
>     TLS session ticket:
>     0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f   %.j.E...P..'....
>     0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a   ^...............
>     0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1   .......tF.._....
>     0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13   .*...gr].....O..
>     0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a   .7..8.......?.:Z
>     0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c   ...^15.1c...Uxy,
>     0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51   ..Eqz9..BJG..Y"Q
>     0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af   .#.n..5so5...G..
>     0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75   .q._.c.....#...u
>     0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19   ..F.Z{..U.......
>     00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64   ......<c....L..d
>     00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae   ~.$....5.9.^..&.
>     00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75   H.....'.(......u
>
>     Start Time: 1711383886
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> read:errno=0

The server is misconfigured. Level 0 is the end entity (web server) 
certificate. But the web server is not sending the intermediate certificate 
called 'GSK Issuing CA 1':

   Certificate chain
    0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1

There should be a level 1, with a subject of 
'/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1'. Something
like:

   Certificate chain
    0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1

    1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA

The server _can_ send 'GSK Root CA', but it is not required. The RFC makes 
sending the root certificate optional. If the root CA is sent, then it would 
look something like:

   Certificate chain
    0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1

    1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA

    2 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
      i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA

The client _must_ trust 'GSK Root CA'. This is your SVN client. That is the 
next thing to check once the server configuration is fixed.

Jeff

GSK monitors email communications sent to and from GSK in order to protect GSK, 
our employees, customers, suppliers and business partners, from cyber threats 
and loss of GSK Information. GSK monitoring is conducted with appropriate 
confidentiality controls and in accordance with local laws and after 
appropriate consultation.

Reply via email to