SSL certs and xombrero again but with a third party twist

Wed, 28 May 2014 15:16:29 -0700 

Using xombrero in cert_warn mode with a ca file I get a yellow bar
which means untrusted on

ewf.companieshouse.gov.uk

but firefox shows a green bar

OpenSSL output at the bottom.

I figured OK so the pem bundles differ and I am not too surprised where
companies house is concerned.

mk-ca-bundle.pl 
Done (153 CA certs processed, 36 skipped).


didn't help so I reluctantly tried 


mk-ca-bundle.pl -p ALL:ALL
Done (189 CA certs processed, 0 skipped)

Wowser even more certs to force us to give-up on auditing yet I still
get a yellow bar. Does mk-ca-bundle.pl not grab all the certs that
mozilla uses? Or does xombrero do something clever and ignore third
party nonsense or something. I don't mind I can hopefully just track the
fingerprint(s) in this one off case and check in firefox but would like
to understand what is going on.

Thanks,
        Kc

_______________________________________________________________________


issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4855 bytes and written 875 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    Session-ID:
0348FBEA1FD673EC78AFD561C1C98B72CAD0A356F808B7EAC9506284366F1C76
Session-ID-ctx: Master-Key:
CD39F7BFCA9AA732F3E218AB6CE34EB7B6B943BB2D2F69A2D479FA6500BAEE41A071A8A1664E66003B6ECAE815EBDA8C
PSK identity: None PSK identity hint: None
    Start Time: 1401310681
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
_______________________________________________________________________

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

_______________________________________________________________________

Reply via email to