On Mon, Dec 11, 2023 at 9:54 AM anonymous <invalid.nore...@gnu.org> wrote: > > URL: > <https://savannah.gnu.org/bugs/?65009> > > Summary: wget refuses to use legitimate self signed CAs > provided with the --ca-certificate flag > Group: GNU Wget > Submitter: None > Submitted: Mon 11 Dec 2023 02:53:19 PM UTC > Category: Program Logic > Severity: 3 - Normal > Priority: 5 - Normal > Status: None > Privacy: Public > Assigned to: None > Originator Name: David Hadas > Originator Email: david.ha...@gmail.com > Open/Closed: Open > Release: None > Discussion Lock: Any > Operating System: Mac OS > Reproducibility: Every Time > Fixed Release: None > Planned Release: None > Regression: None > Work Required: None > Patch Included: None > > > _______________________________________________________ > > Follow-up Comments: > > > ------------------------------------------------------- > Date: Mon 11 Dec 2023 02:53:19 PM UTC By: Anonymous > Release: 1.21 > > --- > > Using mTLS with self signed certificates with various tools, it seems wget > misbehaves and does not add a legitimate self signed CA provided with the > --ca-certificate flag to the ca pool used internally. > (I expect that the same issue exists with TLS). > > The CA pem is legitimate and well structured as it is used successfully with > other tools: (1) curl (see below), (2) standard go client and server. > > Wget indicates "Self-signed certificate encountered" as an output although the > CA pem is provided using --ca-certificate > Wget provides the same response with and without the --ca-certificate... > > --- > > Here is an example: > % ./hack/ping.sh > > Connect to remote server using mTLS and self signed certificates > > Try Curl: > > + curl > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > --key prk.pem --cert cert.pem --cacert ca.pem > <<< Response from the server > Hello little client, <<< Response from the server > happy to serve you today <<< Response from the server > <<< Response from the server > + set +x > > Try Wget: > > + wget > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem > --2023-12-09 08:43:37-- > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/ > Resolving > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)... > 169.63.244.138 > Connecting to > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443... > connected. > ERROR: cannot verify > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's > certificate, issued by ‘CN=test,O=test.research.ibm.com’: > Self-signed certificate encountered. > To connect to > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > insecurely, use `--no-check-certificate'. > + set +x > > --- > > > Example running with debug mode: > % ./hack/ping.sh > > Connect to remote server using mTLS and self signed certificates > > Try Curl: > > + curl -v > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > --key prk.pem --cert cert.pem --cacert ca.pem > * Trying 169.63.244.138:443... > * Connected to > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > (169.63.244.138) port 443 (#0) > * ALPN: offers h2,http/1.1 > * (304) (OUT), TLS handshake, Client hello (1): > * CAfile: ca.pem > * CApath: none > * (304) (IN), TLS handshake, Server hello (2): > * (304) (IN), TLS handshake, Unknown (8): > * (304) (IN), TLS handshake, Request CERT (13): > * (304) (IN), TLS handshake, Certificate (11): > * (304) (IN), TLS handshake, CERT verify (15): > * (304) (IN), TLS handshake, Finished (20): > * (304) (OUT), TLS handshake, Certificate (11): > * (304) (OUT), TLS handshake, CERT verify (15): > * (304) (OUT), TLS handshake, Finished (20): > * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 > * ALPN: server accepted h2 > * Server certificate: > * subject: O=test.research.ibm.com; CN=test > * start date: Dec 9 06:42:29 2023 GMT > * expire date: Jan 8 06:42:29 2024 GMT > * subjectAltName: host > "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud" > matched cert's > "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud" > * issuer: O=test.research.ibm.com; CN=test > * SSL certificate verify ok. > * using HTTP/2 > * h2 [:method: GET] > * h2 [:scheme: https] > * h2 [:authority: > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud] > * h2 [:path: /] > * h2 [user-agent: curl/8.1.2] > * h2 [accept: */*] > * Using Stream ID: 1 (easy handle 0x147811e00) > > GET / HTTP/2 > > Host: > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > > User-Agent: curl/8.1.2 > > Accept: */* > > > < HTTP/2 200 > < content-type: text/plain; charset=utf-8 > < content-length: 51 > < date: Sat, 09 Dec 2023 06:53:45 GMT > < > > Hello little client, > happy to serve you today > > * Connection #0 to host > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > left intact > + set +x > > Try Wget: > > + wget -d > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem > Setting --private-key (privatekey) to prk.pem > Setting --certificate (certificate) to cert.pem > Setting --ca-certificate (cacertificate) to ca.pem > DEBUG output created by Wget 1.21.4 on darwin22.4.0. > > Reading HSTS entries from /Users/davidhadas/.wget-hsts > URI encoding = ‘UTF-8’ > Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) > --2023-12-09 08:53:45-- > https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/ > Resolving > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)... > 169.63.244.138 > Caching > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > => 169.63.244.138 > Connecting to > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443... > connected. > Created socket 5. > Releasing 0x0000600003c62480 (new refcount 1). > Initiating SSL handshake. > Handshake successful; connected socket 5 to SSL handle 0x0000000143008200 > certificate: > subject: CN=test,O=test.research.ibm.com > issuer: CN=test,O=test.research.ibm.com > ERROR: cannot verify > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's > certificate, issued by ‘CN=test,O=test.research.ibm.com’: > Self-signed certificate encountered. > To connect to > myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > insecurely, use `--no-check-certificate'. > Closed 5/SSL 0x0000000143008200 > + set +x > > --- > > % wget --version > GNU Wget 1.21.4 built on darwin22.4.0. > > -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls > +ntlm +opie -psl +ssl/openssl > > Wgetrc: > /opt/homebrew/etc/wgetrc (system) > Locale: > /opt/homebrew/Cellar/wget/1.21.4/share/locale > Compile: > clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/homebrew/etc/wgetrc" > -DLOCALEDIR="/opt/homebrew/Cellar/wget/1.21.4/share/locale" -I. > -I../lib -I../lib -I/opt/homebrew/opt/openssl@3/include > -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g -O2 > Link: > clang -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g > -O2 -L/opt/homebrew/Cellar/libidn2/2.3.4_1/lib -lidn2 > -L/opt/homebrew/opt/openssl@3/lib -lssl -lcrypto -ldl -lz > ../lib/libgnu.a -liconv -lintl -Wl,-framework -Wl,CoreFoundation > -lunistring
Here's a quick analysis, if it helps... According to OpenSSL docs (https://www.openssl.org/docs/man1.0.2/man1/verify.html), the error 21 is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE. The error is documented as: no signatures could be verified because the chain contains only one certificate and it is not self signed. It looks like Authority Key Identifier (AKID) does not equal Subject Key Identifier (SKID). The Subject Key Identifier is an X509 extension, but it appears to be missing from the certificate. I would expect to see something like this from OpenSSL: X509v3 extensions: X509v3 Subject Key Identifier: 62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86 X509v3 Authority Key Identifier: 62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86 According to RFC 5280, the AKID is a MUST (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1). The SKID is a SHOULD in end-entity certificates (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2). It is not a MUST for SKID. If this is the problem, then I expect the following would clear the issue with an OpenSSL backend: [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer The Subject Alt Name "Any" (shown below as "DNS:any, DNS:any") is suspicious. Hostnames must be fully qualified domain names per the CA/B Baseline Requirements. I did not check the RFCs, but the RFCs probably allow it. The Subject Alt Name "127.0.0.1" is also suspicious. I've never seen localhost's IP address listed in the SAN. I've seen private IP addresses, but not localhost. Also, if you want the Common Name (CN) test.research.ibm.com to validate, then it must also be listed in the Subject Alt Name (SAN). It cannot be placed in the CN only; it must be in both the CN and SAN. Jeff ----- $ export host=myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud $ openssl s_client -connect ${host}:443 -servername ${host} | openssl x509 -text -noout depth=0 O = research.ibm.com, CN = test.research.ibm.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = research.ibm.com, CN = test.research.ibm.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 O = research.ibm.com, CN = test.research.ibm.com verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: e8:a5:d3:b9:e5:65:cd:2e:8c:6c:a1:bc:07:5c:0a:76 Signature Algorithm: sha256WithRSAEncryption Issuer: O = test.research.ibm.com, CN = test Validity Not Before: Dec 11 12:08:59 2023 GMT Not After : Jan 10 12:08:59 2024 GMT Subject: O = research.ibm.com, CN = test.research.ibm.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:65:0a:0d:a6:2f:98:c7:39:4a:35:65:7c:81: 74:66:7e:a0:c2:ae:46:02:21:3f:30:0e:10:4d:10: 4a:49:d1:d7:81:90:9f:30:80:50:6b:dd:91:a1:22: 1d:37:ba:9e:97:7c:4b:ce:6d:ca:f1:c2:e5:e3:4c: ba:ad:cc:cb:2f:df:8f:2e:7b:bd:e7:71:5e:04:f5: 6c:22:33:7d:ae:ee:4e:5f:54:b1:ab:cb:94:34:85: 18:aa:4c:42:02:46:6a:d4:4b:ac:26:47:9f:7b:01: 15:c5:bb:38:48:d7:cd:f8:2a:e1:13:83:b9:2e:26: 03:29:3a:da:81:31:9e:63:bf:38:e7:87:3d:c5:98: d1:ee:f2:fd:7b:83:12:ee:c8:9c:5b:7c:28:2a:3c: ac:be:91:02:02:9b:f5:98:26:19:d3:22:69:e6:1b: 87:69:15:dd:62:84:ea:3d:f5:8f:c8:f7:12:a9:0c: 2b:0a:22:6f:f1:bf:43:38:73:6f:5a:fb:c3:35:67: ad:ee:ed:ac:9e:42:1a:b9:35:7e:f5:db:43:88:07: e8:1b:f7:36:39:e3:d6:31:11:44:00:91:97:6b:61: d5:90:71:c9:99:1b:85:fa:53:ce:3e:d7:1f:5c:70: ba:01:9c:68:0a:11:bf:1f:7d:e2:62:b4:30:b6:77: dd:b9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: 62:3D:9D:D5:91:09:AB:FA:02:88:43:8C:AB:BE:A1:01:1D:EB:7D:86 X509v3 Subject Alternative Name: DNS:any, DNS:any, DNS:myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud, IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption Signature Value: cc:b1:cc:83:e7:02:39:b1:67:97:58:04:2d:ba:da:ea:88:f7: 0a:12:21:c1:6e:65:65:e8:98:02:7e:44:1a:3d:3d:1b:52:59: f3:76:5f:b0:6e:c8:ae:28:fe:be:fa:a4:ec:2d:7f:7d:5d:5a: 07:83:5d:83:72:23:7b:d2:76:60:28:7f:85:51:51:31:2a:18: a7:2a:9a:44:99:b2:0d:de:59:ad:10:56:cb:1d:fc:9c:11:2e: 18:73:05:22:e2:c1:e8:f1:18:20:fc:67:ee:b1:f6:7b:08:63: 8a:21:b5:04:47:a4:77:03:02:50:33:2c:3f:07:a3:ed:fd:c5: 7b:34:a5:6d:5b:7f:6f:22:95:36:88:68:7b:73:5d:38:78:bc: f1:21:ae:e1:81:46:5e:dd:0e:84:e9:6f:e6:37:19:b9:14:da: 2c:8f:f5:17:4c:a6:7e:77:6e:ce:dc:72:cb:ad:e8:09:9b:47: e0:6f:97:d5:90:e7:6e:92:67:76:54:d0:87:63:ee:7a:76:98: 9f:b6:05:83:26:8c:94:cd:a1:0b:99:56:fa:b8:47:49:55:e8: 08:b2:80:92:b3:01:4d:f6:ed:9b:ef:33:73:f2:ac:ab:ed:a0: 2a:83:65:81:34:f2:dd:49:01:55:ed:73:fb:99:2b:cc:41:21: a7:1b:36:61 ----- $ export host=myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud $ openssl s_client -connect ${host}:443 -servername ${host} CONNECTED(00000003) depth=0 O = research.ibm.com, CN = test.research.ibm.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = research.ibm.com, CN = test.research.ibm.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 O = research.ibm.com, CN = test.research.ibm.com verify return:1 --- Certificate chain 0 s:O = research.ibm.com, CN = test.research.ibm.com i:O = test.research.ibm.com, CN = test a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 11 12:08:59 2023 GMT; NotAfter: Jan 10 12:08:59 2024 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIRAOil07nlZc0ujGyhvAdcCnYwDQYJKoZIhvcNAQELBQAw LzEeMBwGA1UEChMVdGVzdC5yZXNlYXJjaC5pYm0uY29tMQ0wCwYDVQQDEwR0ZXN0 MB4XDTIzMTIxMTEyMDg1OVoXDTI0MDExMDEyMDg1OVowOzEZMBcGA1UEChMQcmVz ZWFyY2guaWJtLmNvbTEeMBwGA1UEAxMVdGVzdC5yZXNlYXJjaC5pYm0uY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02UKDaYvmMc5SjVlfIF0Zn6g wq5GAiE/MA4QTRBKSdHXgZCfMIBQa92RoSIdN7qel3xLzm3K8cLl40y6rczLL9+P Lnu953FeBPVsIjN9ru5OX1Sxq8uUNIUYqkxCAkZq1EusJkefewEVxbs4SNfN+Crh E4O5LiYDKTragTGeY78454c9xZjR7vL9e4MS7sicW3woKjysvpECApv1mCYZ0yJp 5huHaRXdYoTqPfWPyPcSqQwrCiJv8b9DOHNvWvvDNWet7u2snkIauTV+9dtDiAfo G/c2OePWMRFEAJGXa2HVkHHJmRuF+lPOPtcfXHC6AZxoChG/H33iYrQwtnfduQID AQABo4HaMIHXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRiPZ3VkQmr+gKIQ4yr vqEBHet9hjB3BgNVHREEcDBuggNhbnmCA2FueYJcbXlhcHAtZGVmYXVsdC5teW9z LWU2MjFjN2Q3MzNlY2UxZmFkNzM3ZmY1NGE4OTEyODIyLTAwMDAudXMtc291dGgu Y29udGFpbmVycy5hcHBkb21haW4uY2xvdWSHBH8AAAEwDQYJKoZIhvcNAQELBQAD ggEBAMyxzIPnAjmxZ5dYBC262uqI9woSIcFuZWXomAJ+RBo9PRtSWfN2X7BuyK4o /r76pOwtf31dWgeDXYNyI3vSdmAof4VRUTEqGKcqmkSZsg3eWa0QVssd/JwRLhhz BSLiwejxGCD8Z+6x9nsIY4ohtQRHpHcDAlAzLD8Ho+39xXs0pW1bf28ilTaIaHtz XTh4vPEhruGBRl7dDoTpb+Y3GbkU2iyP9RdMpn53bs7ccsut6AmbR+Bvl9WQ526S Z3ZU0Idj7np2mJ+2BYMmjJTNoQuZVvq4R0lV6AiygJKzAU327ZvvM3PyrKvtoCqD ZYE08t1JAVXtc/uZK8xBIacbNmE= -----END CERTIFICATE----- subject=O = research.ibm.com, CN = test.research.ibm.com issuer=O = test.research.ibm.com, CN = test --- Acceptable client certificate CA names CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA C = US, O = AffirmTrust, CN = AffirmTrust Commercial C = US, O = AffirmTrust, CN = AffirmTrust Networking C = US, O = AffirmTrust, CN = AffirmTrust Premium C = US, O = AffirmTrust, CN = AffirmTrust Premium ECC C = US, O = Amazon, CN = Amazon Root CA 1 C = US, O = Amazon, CN = Amazon Root CA 2 C = US, O = Amazon, CN = Amazon Root CA 3 C = US, O = Amazon, CN = Amazon Root CA 4 CN = Atos TrustedRoot 2011, O = Atos, C = DE C = ES, CN = Autoridad de Certificacion Firmaprofesional CIF A62634068 C = CN, O = BEIJING CERTIFICATE AUTHORITY, CN = BJCA Global Root CA1 C = CN, O = BEIJING CERTIFICATE AUTHORITY, CN = BJCA Global Root CA2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA C = NO, O = Buypass AS-983163327, CN = Buypass Class 3 Root CA C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R2 C = CN, O = China Financial Certification Authority, CN = CFCA EV ROOT C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority C = US, O = Certainly, CN = Certainly Root E1 C = US, O = Certainly, CN = Certainly Root R1 C = FR, O = Dhimyotis, CN = Certigna C = FR, O = Dhimyotis, OU = 0002 48146308100036, CN = Certigna Root CA C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA 2 C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 1 2020 C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 1 2020 C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 2009 C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 EV 2009 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G3 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA C = US, O = "DigiCert, Inc.", CN = DigiCert TLS ECC P384 Root G5 C = US, O = "DigiCert, Inc.", CN = DigiCert TLS RSA4096 Root G5 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4 C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority C = TR, L = Ankara, O = E-Tugra EBG A.S., OU = E-Tugra Trust Center, CN = E-Tugra Global Root CA ECC v3 C = TR, L = Ankara, O = E-Tugra EBG A.S., OU = E-Tugra Trust Center, CN = E-Tugra Global Root CA RSA v3 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048) C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - EC1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 C = CN, O = "GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", CN = GDCA TrustAUTH R5 ROOT C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020 C = US, O = Google Trust Services LLC, CN = GTS Root R1 C = US, O = Google Trust Services LLC, CN = GTS Root R2 C = US, O = Google Trust Services LLC, CN = GTS Root R3 C = US, O = Google Trust Services LLC, CN = GTS Root R4 OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root E46 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root R46 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2 C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS ECC Root CA 2021 C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS RSA Root CA 2021 C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions ECC RootCA 2015 C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2015 C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = HiPKI Root CA - G1 C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 3 C = US, O = Internet Security Research Group, CN = ISRG Root X1 C = US, O = Internet Security Research Group, CN = ISRG Root X2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 C = US, O = IdenTrust, CN = IdenTrust Public Sector Root CA 1 C = ES, O = IZENPE S.A., CN = Izenpe.com C = HU, L = Budapest, O = Microsec Ltd., CN = Microsec e-Szigno Root CA 2009, emailAddress = i...@e-szigno.hu C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate Authority 2017 C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate Authority 2017 C = KR, O = NAVER BUSINESS PLATFORM Corp., CN = NAVER Global Root Certification Authority C = HU, L = Budapest, O = NetLock Kft., OU = Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN = NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GB CA C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GC CA C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 1 G3 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 G3 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority ECC C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority ECC C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2 C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 C = US, O = SecureTrust Corporation, CN = SecureTrust CA C = US, O = SecureTrust Corporation, CN = Secure Global CA C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication ECC RootCA1 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 3 C = TR, L = Gebze - Kocaeli, O = Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU = Kamu Sertifikasyon Merkezi - Kamu SM, CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Global Root CA C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority O = TeliaSonera, CN = TeliaSonera Root CA v1 C = FI, O = Telia Finland Oyj, CN = Telia Root CA v2 C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1 C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-1 C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2 C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global Certification Authority C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P256 Certification Authority C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P384 Certification Authority C = TN, O = Agence Nationale de Certification Electronique, CN = TunTrust Root CA C = CN, O = UniTrust, CN = UCA Extended Validation Root C = CN, O = UniTrust, CN = UCA Global G2 Root C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority C = US, OU = www.xrampsecurity.com, O = XRamp Security Services Inc, CN = XRamp Global Certification Authority C = RO, O = certSIGN, OU = certSIGN ROOT CA C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2 C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier = VATHU-23584497, CN = e-Szigno Root CA 2017 C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = ePKI Root Certification Authority C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign ECC Root CA - C3 C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign ECC Root CA - G3 C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign Root CA - C1 C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1 C = CN, O = "iTrusChina Co.,Ltd.", CN = vTrus ECC Root CA C = CN, O = "iTrusChina Co.,Ltd.", CN = vTrus Root CA O = test.research.ibm.com, CN = test Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 16306 bytes and written 488 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- 409769EDBA7F0000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1584:SSL alert number 116
