On Mon, Mar 25, 2024 at 11:55 AM Stanley Gilliam
<stanley.x.gill...@gsk.com> wrote:
>
> I apologize for the miscommunication. Here is the output from the openssl
> command:
>
> [I am root!@uptus060-1:conf.d]# openssl s_client -connect hpc.gsk.com:443
You should use -servername here. It triggers Server Name Indication (SNI).
> CONNECTED(00000003)
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith
> Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith
> Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
> ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
> dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
> aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
> A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
> UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
> BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
> bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
> AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
> W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
> AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
> /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
> 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
> MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
> BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
> HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
> 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
> LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
> ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
> c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
> b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
> NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
> FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
> AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
> SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
> ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
> v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
> RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
> pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
> W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
> O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
> us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
> XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
> RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
> GzKWlw6feJiNivlqBH1QwP39
> -----END CERTIFICATE-----
> subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2341 bytes and written 427 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> F8C2904FEE4CA89D0F03B21E4D8E16B120419D3F0737265AAC27452DD5BAD62E
> Session-ID-ctx:
> Master-Key:
> 4D6D3D158228C520B36FF399795D8B847ADF21E2559CDB3EC0CDE8E8AF322B1397B9531598C5CA1215385F6CE8113248
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 33 fa b8 44 6b 0f fe 61-e5 14 06 66 19 9d 0e 73 3..Dk..a...f...s
> 0010 - 8f 06 54 21 20 97 7d ac-2c c4 12 91 c8 c0 c7 7f ..T! .}.,.......
> 0020 - 09 8a c8 13 0a 58 fc 16-e2 f3 96 67 c6 d6 d5 58 .....X.....g...X
> 0030 - ab 60 47 fc 66 22 17 8b-04 73 fd 2d a5 62 c4 35 .`G.f"...s.-.b.5
> 0040 - e8 dc 3a a9 e6 37 ba 2a-ea 05 0d ea fb 5a 01 80 ..:..7.*.....Z..
> 0050 - 88 9e 6a 5d 7b ae 21 8f-89 32 af ae 0c 52 20 27 ..j]{.!..2...R '
> 0060 - 2f 1b 8e ae 18 82 54 c0-ee e4 b9 bb 1e 71 be db /.....T......q..
> 0070 - c3 0e 36 9f 0b ce a4 2e-be dc 1d 3f 10 01 08 71 ..6........?...q
> 0080 - ae 74 b1 d4 1f ce 46 a3-94 54 93 ad 67 4a 72 15 .t....F..T..gJr.
> 0090 - 93 5a 46 0c 84 35 f2 b6-7e 2d 7a 07 b5 7a ca 47 .ZF..5..~-z..z.G
> 00a0 - 88 8f 1a fa 78 cc 49 26-12 26 54 0d 27 5d f6 a3 ....x.I&.&T.']..
> 00b0 - 43 d1 2b 7d c6 6f b9 19-32 a8 56 35 9a 1c 31 97 C.+}.o..2.V5..1.
>
> Start Time: 1711376647
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> :q!
> HTTP/1.1 400 Bad Request
> Date: Mon, 25 Mar 2024 14:24:13 GMT
> Server: Apache
> Content-Length: 226
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> </p>
> </body></html>
> read:errno=0
$ export cert='-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgITEQAABQ+0dA
[...]
GzKWlw6feJiNivlqBH1QwP39
-----END CERTIFICATE-----'
Then:
$ echo "$cert" | openssl x509 -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:00:00:05:0f:b4:74:0d:18:17:ce:f7:01:00:00:00:00:05:0f
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1
Validity
Not Before: Mar 8 17:20:55 2024 GMT
Not After : Mar 8 17:20:55 2025 GMT
Subject: C = US, ST = Pennsylvania, L = Upper Providence, O =
Glaxo Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
scientific_computing_supp...@gsk.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:0a:bf:a3:f6:3e:7f:ef:7f:64:fa:c1:c7:88:
c0:cc:be:1a:6b:26:60:c7:6b:3c:34:50:8d:6b:3d:
7e:e3:5b:dc:0f:83:69:18:1e:73:fe:8e:fd:f7:8f:
b0:c1:ea:f1:3f:a2:90:85:54:e8:07:4d:5d:cb:73:
b6:f2:dd:00:59:00:6d:78:d8:63:d5:4a:fb:b9:d6:
4d:ac:c8:1f:ab:02:8a:16:e5:ae:e8:9f:06:aa:65:
12:91:49:05:f4:36:41:c8:e2:f4:91:1e:35:61:f7:
fd:33:c5:7e:9a:3d:7e:b2:80:3c:83:29:63:8f:b2:
54:3f:ef:54:85:0b:2b:99:fd:b8:2d:fc:73:17:79:
33:f5:59:a4:f9:bb:5d:e5:8f:95:ed:6d:17:a3:c7:
55:8c:bb:71:e8:44:b8:2e:5d:9e:a9:05:ae:4c:e4:
a3:5c:f4:26:89:25:c9:ee:4c:bc:e6:d3:5e:76:1b:
50:2c:d6:69:0b:27:6c:26:d0:fa:b3:85:70:03:a2:
a5:df:9e:8b:41:bd:97:12:2a:8b:f8:fa:f6:12:48:
50:7e:ed:15:15:2e:37:54:56:44:62:78:30:8a:30:
1b:06:9b:eb:9f:c5:48:56:03:15:e7:94:2d:9b:f4:
d9:8c:d1:75:7b:7e:bf:7c:57:c5:99:0f:60:f6:b0:
be:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:hpc.gsk.com, DNS:uptus060-1.corpnet2.com
X509v3 Subject Key Identifier:
05:5C:56:21:EC:ED:79:53:B8:19:3C:68:DE:F8:F3:D5:53:2F:8A:48
X509v3 Authority Key Identifier:
AB:CF:25:81:10:D3:F5:00:22:6A:AB:21:4E:EB:F6:EA:53:2B:18:E9
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crl
Authority Information Access:
CA Issuers -
URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crt
OCSP - URI:http://pki.gsk.com/ocsp
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7....+...@.......B...Y.T...'...|..d..?
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
3d:33:08:ef:ca:ff:5d:72:71:a3:40:de:c7:18:4a:94:fc:4e:
ac:dc:e7:02:53:a1:e0:be:10:4c:a4:f9:f0:9b:c0:16:8e:7e:
83:e2:0c:d2:d4:0b:88:ec:1b:c9:0b:b5:bd:59:e1:78:41:31:
ae:de:1a:6c:f7:5e:de:7c:b9:b5:42:e4:2e:10:5b:f0:09:23:
4b:f4:a0:95:37:6a:d2:68:3e:4e:61:f2:21:11:1b:3a:25:10:
79:db:a6:fb:75:74:b0:e9:9b:01:73:89:de:80:3f:36:af:8b:
17:a6:bf:51:42:d2:39:83:da:d9:39:5b:61:d2:68:c0:99:f1:
06:ed:f0:1f:6e:4b:0c:a4:9f:12:f0:8d:ce:28:c8:cc:6c:d4:
ea:b5:26:db:2f:f0:70:b3:0b:80:62:f7:27:7a:45:86:c1:e2:
e3:40:bd:42:c1:48:ae:51:a0:88:e0:b0:e3:5f:13:8d:9f:9c:
92:8f:09:2d:53:04:f5:a4:8e:54:4e:96:68:72:be:2e:fa:34:
da:0f:97:81:a5:4b:e7:8c:a6:ff:45:07:e4:3b:c5:c6:13:ad:
fa:32:82:f1:32:ea:5b:cf:0a:04:37:02:a1:5c:56:66:d0:83:
97:44:04:cb:61:3c:0c:a6:04:70:1d:40:79:23:6c:a7:d5:25:
de:57:5b:c0:85:9a:c6:7b:a4:3f:27:9a:3e:65:7f:34:f8:4a:
99:22:32:3e:7d:53:46:e3:d9:ef:05:7c:b5:90:c9:bb:62:18:
21:85:3b:d3:3f:9d:97:4e:1d:09:dd:c4:7b:9a:3b:c6:c9:cd:
6b:38:ac:2c:bd:87:0f:a2:38:76:44:50:47:b4:ea:6f:a6:73:
ea:cb:3c:de:c3:4c:ed:6b:40:e0:24:fc:17:5a:90:86:ae:43:
23:13:87:9a:18:43:69:8c:ba:cf:bb:61:4c:19:ac:d8:9d:66:
ff:71:7c:02:59:73:ec:e6:9d:ab:a6:a0:62:1b:c6:42:82:85:
27:f0:86:d6:f9:2f:cb:85:9d:f4:1c:e9:70:cd:69:85:15:2a:
fc:22:5d:5f:4e:42:08:b2:99:79:06:02:9f:00:8b:97:95:bf:
cf:35:06:2a:ea:42:41:f2:02:d6:d4:76:96:b3:50:5e:63:97:
1a:de:a3:0a:76:e0:d4:80:6b:fa:d6:2d:ae:a9:44:aa:92:f5:
a3:c2:da:53:9f:47:62:b2:b2:fd:52:bc:98:2c:b7:53:af:b5:
c9:2a:2a:c7:65:ba:71:b1:45:41:f9:80:89:f0:9f:b8:33:ce:
6a:2f:09:e5:a2:0f:7f:85:1b:32:96:97:0e:9f:78:98:8d:8a:
f9:6a:04:7d:50:c0:fd:fd
The issuer of the end entity (web server) certificate is 'GSK Issuing
CA 1'. That is this line:
Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1
The intermediate certificate must be sent by the server to the client.
So next look at the chain:
openssl s_client -connect hpc.gsk.com:443 -servername hpc.gsk.com -showcerts
Please post the output.
The Root CA -- the one where the subject == issuer -- is optional. It
ight have a name like 'GSK Root CA', and it would have been used to
issue 'GSK Issuing CA 1'. The server can send root CA; or the server
can forgo sending the root CA. The RFC makes sending it optional. But
the server _must_ send all intermediate certificates used to validate
the chain (called 'path building' in PKI). It is required by the RFCs.
And the client _must_ trust the root.
Jeff
