Re: Is it possible to grab CA certificate?
When I go to SSL site I see this message in fx: You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. news.ycombinator.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) And then I go to Add exception - View - Details tab - Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: This is not a certificate authority certificate, so it can't be imported into the certificate authority list. So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in Servers list under my company custom CA certificate in Advanced - View Certificates - Servers. All of them are marked Permanent. Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to grab CA certificate?
If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. What is strange is that exceptions are not working as expected. Is there any chance that the certificate is changing from time to time? I really think you will need to discuss what is happening with the server admins. On Tue, Jun 18, 2013 at 3:07 AM, A A wemp...@gmail.com wrote: When I go to SSL site I see this message in fx: You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. news.ycombinator.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) And then I go to Add exception - View - Details tab - Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: This is not a certificate authority certificate, so it can't be imported into the certificate authority list. So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in Servers list under my company custom CA certificate in Advanced - View Certificates - Servers. All of them are marked Permanent. Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke
RE: Is it possible to grab CA certificate?
Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate. From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx Server Certificate Message The server sends its certificate to the client. The server certificate contains the server’s public key. The client uses this key to authenticate the server and to encrypt the Premaster Secret. The Server Certificate message includes: The server’s certificate list. The first certificate in the list is the server’s X.509v3 certificate that contains the server’s public key. Other validating certificates. All other validating certificates, up to but not including the root certificate from the CA, signed by the CA. Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Cristian Thiago Moecke [cont...@cristiantm.com.br] Sent: 18 June 2013 11:43 To: openssl-users@openssl.org Subject: Re: Is it possible to grab CA certificate? If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. What is strange is that exceptions are not working as expected. Is there any chance that the certificate is changing from time to time? I really think you will need to discuss what is happening with the server admins. On Tue, Jun 18, 2013 at 3:07 AM, A A wemp...@gmail.com wrote: When I go to SSL site I see this message in fx: You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. news.ycombinator.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) And then I go to Add exception - View - Details tab - Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: This is not a certificate authority certificate, so it can't be imported into the certificate authority list. So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in Servers list under my company custom CA certificate in Advanced - View Certificates - Servers. All of them are marked Permanent. Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to grab CA certificate?
Hi I would suggest you to garb some documentation of openssl commands. Thats enough for your problem. Well, you can get certificate get imported to your firefox using following commands. 1) openssl s_client -connect www.google.co.in:443 -showcerts here copy text between last -BEGIN CERTIFICATE- -END CERTIFICATE- save it to file say cert.ansi 2) openssl asn1parse -in cert.ansi -out cert.der here you will get FX importable certificate cert.der as mentioned earlier if server (MAN in Middle) is forcing TLS1.1/ use can add check (-ssl3) in first command. 3) import cert.der to your fx in trusted root authorities - Thanks, Saurabh Pandya On Tue, Jun 18, 2013 at 4:39 PM, Carl Young carlyo...@keycomm.co.uk wrote: Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate. From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx Server Certificate Message The server sends its certificate to the client. The server certificate contains the server’s public key. The client uses this key to authenticate the server and to encrypt the Premaster Secret. The Server Certificate message includes: The server’s certificate list. The first certificate in the list is the server’s X.509v3 certificate that contains the server’s public key. Other validating certificates. All other validating certificates, up to but not including the root certificate from the CA, signed by the CA. Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Cristian Thiago Moecke [cont...@cristiantm.com.br] Sent: 18 June 2013 11:43 To: openssl-users@openssl.org Subject: Re: Is it possible to grab CA certificate? If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. What is strange is that exceptions are not working as expected. Is there any chance that the certificate is changing from time to time? I really think you will need to discuss what is happening with the server admins. On Tue, Jun 18, 2013 at 3:07 AM, A A wemp...@gmail.com wrote: When I go to SSL site I see this message in fx: You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. news.ycombinator.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) And then I go to Add exception - View - Details tab - Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: This is not a certificate authority certificate, so it can't be imported into the certificate authority list. So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in Servers list under my company custom CA certificate in Advanced - View Certificates - Servers. All of them are marked Permanent. Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is it possible to grab CA certificate?
From: owner-openssl-us...@openssl.org On Behalf Of Carl Young Sent: Tuesday, 18 June, 2013 07:10 Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate. From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx snip should not is a little strong. It doesn't NEED to -- the relier (here client) must never trust a root sent in the handshake -- but it does no harm other than wasting a little wire time. For client authentication when used the same is true the other direction. RFC5246 says the root MAY be omitted. From: owner-openssl-us...@openssl.org on behalf of Cristian Thiago Moecke [cont...@cristiantm.com.br] Sent: 18 June 2013 11:43 If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. If it's for his own company's servers, perhaps. If it's for ycombinator, probably not but see below. What is strange is that exceptions are not working as expected. Is there any chance that the certificate is changing from time to time? I agree that is strange. See below. On Tue, Jun 18, 2013 at 3:07 AM, A A wemp...@gmail.com wrote: When I go to SSL site I see this message in fx: You have asked Firefox to connect securely to news.ycombinator.com, but we can't confirm that your connection is secure. snip (Error code: sec_error_unknown_issuer) And then I go to Add exception - View - Details tab - Certificate hierarchy but there is only news.ycombinator.com present. When I export it and try to import it into fx I get: This is not a certificate authority certificate, so it can't be imported into the certificate authority list. So I think this is not CA certificate but a server certificate. You're almost certainly right. If the cert Subject names the site and the Issuer names some CA, like the one I see just below, then it isn't a CA cert (and definitely not a root). But when *I* connect to news.ycombinator.com:443 with s_client I get a chain of 3, compressed for posting: 0 s:.../O=Y Combinator LLC/CN=news.ycombinator.com i:/C=US/O=Entrust, Inc./.../CN=Entrust Certification Authority - L1C 1 s:(same) i:/O=Entrust.net/.../CN=Entrust.net Certification Authority (2048) 2 s:(same) i:/C=US/.../CN=Entrust.net Secure Server Certification Authority No root for that chain is sent, but my Firefox (now 21) for that site finds a shortcut root (in BuiltinTokenObject) instead of #2. This is most likely because Secure Server Certification Authority is 1024 bits, and when transitioning to 2048 they provided a bridge to the old root for reliers who don't have the new root but prefer the new root for proper 2048 security. #1 and #0 are both 2048. (The root for Certification Authority (2048) has notbefore in 1999, but I'm not convinced it was actually issued then.) Could you maybe be routed to a different machine? I got 184.172.10.74 . And about recurring errors on the same site: I have a number of server exceptions in Servers list under my company custom CA certificate in Advanced - View Certificates - Servers. All of them are marked Permanent. Nevertheless, the error page I described above appears from time to time even on sites that I have previously added to a trusted list. It's extremely annoying and I don't know why this happens. I use Firefox 21. I agree with the previous responder: this is strange, unless the cert changed, and for that to happen often would be pretty odd. One possibility: could it be that (some of) the company servers are not single machines but farms or load-sharing or load-balancing systems, which have multiple physical machines that *should* all be using the same key-and-certificate but maybe aren't? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to grab CA certificate?
On Tue, Jun 18, 2013 at 04:50:06PM -0400, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Carl Young Sent: Tuesday, 18 June, 2013 07:10 Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate. From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx snip should not is a little strong. It doesn't NEED to -- the relier (here client) must never trust a root sent in the handshake -- but it does no harm other than wasting a little wire time. For client authentication when used the same is true the other direction. RFC5246 says the root MAY be omitted. In fact with RFC 6698 DANE and digest matching type TLSA RRs with certificate usage 2, the server SHOULD (in most cases MUST, but the DANE WG won't let me say the obvious quite so strongly) send the root CA, because otherwise the client will likely have no means to compute the trust-anchor digest to compare with the TLSA record. With usage 2 trust-anchors, the client cannot generally be presumed to have prior access to trusted roots, so the server needs to send these. http://tools.ietf.org/html/draft-dukhovni-dane-ops-00#section-4.2 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to grab CA certificate?
Its not an fx user list, but let me help you: On firefox side, you could 1) Add a permanente excepion (just make sure to check the appropriate checkbox on the exception dialog) so it wont ask you every time 2) Export the certificate, clicking on the lock icon on the URL bar and going to More Information/Show certificate/Details/Export. That would solve your problem, but if you want to do it the openssl way, you could use openssl s_client -showcerts -connect HOSTNAME:443 and copy the PEM encoded certificate to a file. On Mon, Jun 17, 2013 at 12:49 PM, A A wemp...@gmail.com wrote: Is it possible to grab a CA certificate with openssl? I don't mean a remote server certificate but a local Certificate Authority certificate that is used when connecting to a SSL wep page. I need because a special kind of certificate is used in a place where I work that is signed by the company itself. It makes me have to accept a security exception in fx every single time I go to a SSL web page. I want to get this certificate and import it to a list of trusted CA certificates in fx. How to do this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke
Re: Is it possible to grab CA certificate?
By the way, I would NOT recommend add a in-house probably unprotected CA as a trusted one. The exception is much better to deal with such cases. On Mon, Jun 17, 2013 at 1:16 PM, Cristian Thiago Moecke cont...@cristiantm.com.br wrote: Its not an fx user list, but let me help you: On firefox side, you could 1) Add a permanente excepion (just make sure to check the appropriate checkbox on the exception dialog) so it wont ask you every time 2) Export the certificate, clicking on the lock icon on the URL bar and going to More Information/Show certificate/Details/Export. That would solve your problem, but if you want to do it the openssl way, you could use openssl s_client -showcerts -connect HOSTNAME:443 and copy the PEM encoded certificate to a file. On Mon, Jun 17, 2013 at 12:49 PM, A A wemp...@gmail.com wrote: Is it possible to grab a CA certificate with openssl? I don't mean a remote server certificate but a local Certificate Authority certificate that is used when connecting to a SSL wep page. I need because a special kind of certificate is used in a place where I work that is signed by the company itself. It makes me have to accept a security exception in fx every single time I go to a SSL web page. I want to get this certificate and import it to a list of trusted CA certificates in fx. How to do this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke -- -- Cristian Thiago Moecke
RE: Is it possible to grab CA certificate?
Ø By the way, I would NOT recommend add a in-house probably unprotected CA as a trusted one. The exception is much better to deal with such cases. If it's a work machine, then absolutely trust the in-house CA, no matter how it is managed and protected. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Is it possible to grab CA certificate?
Well... trusting a CA means you trust it for any website you access from the workstation. Adding exceptions means you trust it only for those specific sites. I would not recommend adding an untrustworthy in-house CA, because from a workstation people may access external websites too. Like banks, for example. If the CA is create just to authenticate intranet sites, it does not mean that everyone should trust it for more than that. On Mon, Jun 17, 2013 at 1:28 PM, Salz, Rich rs...@akamai.com wrote: **Ø **By the way, I would NOT recommend add a in-house probably unprotected CA as a trusted one. The exception is much better to deal with such cases. ** ** If it’s a work machine, then absolutely trust the in-house CA, no matter how it is managed and protected. ** ** /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ** ** -- -- Cristian Thiago Moecke
RE: Is it possible to grab CA certificate?
Ø because from a workstation people may access external websites too. Like banks And perhaps they shouldn't. Have you seen the size of the built-in browser CA trust lists recently? And really, which is more likely: an in-house CA leads you astray, or you bring some external malware from the Internet into the company? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Is it possible to grab CA certificate?
Ok, we have too much maybes on an very open discussion that depends on so many variables... My intention is not to enter on a long discussion on security policies, I dont think the author of the first email is the network manager or the one that will deal with changing security policies, he only wants to get rid of some warnings, and therefore I would recommend him to keep with the most safe option, that is: only trust the CA for what you know it is made for, that is, trusting that specific site. You can do that by adding a permanent exception. But ok, I also would recomend that you talk with the network admins to clarify on how much trust should be put on the CA, how they want to deal with trust in the internal network, and so on. Maybe they will want to discuss it with us. But for our friend, the user, I would still recommend not messing with trust anchors more than needed. Let someone that knows what is going on there decide what to do. On Mon, Jun 17, 2013 at 1:43 PM, Salz, Rich rs...@akamai.com wrote: **Ø **because from a workstation people may access external websites too. Like banks ** ** And perhaps they shouldn’t. Have you seen the size of the built-in browser CA trust lists recently? ** ** And really, which is more likely: an in-house CA leads you astray, or you bring some external malware from the Internet into the company? ** ** /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA -- -- Cristian Thiago Moecke
Re: Is it possible to grab CA certificate?
Unfortunately fx doesn't let me to export CA certificate. I can only view server side certificate and export it. Also, marking the exception as permanent doesn't make fx remember this setting and I need to accept the certificate warning every time I go to a new SSL site. I tried to import the certificate that fx shows after clicking padlock icon in address bar and import it into a list of trusted CAs but fx says that it's not a CA certificate. In fx I can only see that this CA certificate is signed by the company itself, it contains its name and address but I can't export it explicitly. And when I do openssl s_client -showcerts -connect HOSTNAME:443 it says No client certificate CA names sent. It seems to be harder than I thought. I think that importing this CA certificate into a list of trusted CAs in fx would make all warnings be gone. On 6/17/13, Cristian Thiago Moecke cont...@cristiantm.com.br wrote: Ok, we have too much maybes on an very open discussion that depends on so many variables... My intention is not to enter on a long discussion on security policies, I dont think the author of the first email is the network manager or the one that will deal with changing security policies, he only wants to get rid of some warnings, and therefore I would recommend him to keep with the most safe option, that is: only trust the CA for what you know it is made for, that is, trusting that specific site. You can do that by adding a permanent exception. But ok, I also would recomend that you talk with the network admins to clarify on how much trust should be put on the CA, how they want to deal with trust in the internal network, and so on. Maybe they will want to discuss it with us. But for our friend, the user, I would still recommend not messing with trust anchors more than needed. Let someone that knows what is going on there decide what to do. On Mon, Jun 17, 2013 at 1:43 PM, Salz, Rich rs...@akamai.com wrote: **Ø **because from a workstation people may access external websites too. Like banks ** ** And perhaps they shouldn’t. Have you seen the size of the built-in browser CA trust lists recently? ** ** And really, which is more likely: an in-house CA leads you astray, or you bring some external malware from the Internet into the company? ** ** /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA -- -- Cristian Thiago Moecke __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to grab CA certificate?
Sorry for top posting, damm gmail web interface did that. I don't have mutt installed on this machine and it hurts. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is it possible to grab CA certificate?
at it From: owner-openssl-us...@openssl.org On Behalf Of A A Sent: Monday, 17 June, 2013 20:58 re: Firefox, which I abbreviate FF not FX Unfortunately fx doesn't let me to export CA certificate. I can only view server side certificate and export it. Also, marking the It works for me (in 20.1, I'm a little behind, but I doubt this changed). To be clear: AddException, View, Details, select top cert in Hierarchy which should be the root/CA cert but look to be sure, Export. exception as permanent doesn't make fx remember this setting and I need to accept the certificate warning every time I go to a new SSL But not the same site right? An exception is for a particular server cert *under* a CA. Look at Tools Options Encryption ViewCertificates under Servers (yes, Servers is not the most obvious place for this). Whereas if you trust a CA cert, then all certs it issues are accepted (until expired, or maybe revoked, I forget if FF is doing revocation). site. I tried to import the certificate that fx shows after clicking padlock icon in address bar and import it into a list of trusted CAs but fx says that it's not a CA certificate. In fx I can only see that this CA certificate is signed by the company itself, it contains its name and address but I can't export it explicitly. And when I do Padlock MoreInfo takes you to Tools PageInfo Security, which initially shows you the server cert. I fthe server cert is issued by a CA, the server cert is indeed not a CA cert. Like the above, goto Details, select the top cert in Hierarchy, and Export that. openssl s_client -showcerts -connect HOSTNAME:443 it says No client certificate CA names sent. It seems to be harder than I thought. I think that importing this CA certificate into a list of trusted CAs in fx would make all warnings be gone. client certificate CA names are for *client* authentication, which is rarely used, and apparently not here. What you want is the top/last cert in the *server* chain, which displays as a series of PEM blocks (base64 delimited by -BEGIN and -END lines) with 2-line labels before each giving the subject and issuer which should help figure out which is which. snip prior __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org