Hi Jeff,
If I am understanding correctly, we need to add something like:
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
to which config file? Apologies I did not set up the server so I'm learning
this as we go.
Stanley Gilliam
System Administrator
GSK
14200 Shady Grove Rd
Rockville, MD 20850
678-548-7768
-----Original Message-----
From: Jeffrey Walton <noloa...@gmail.com>
Sent: Monday, March 25, 2024 12:34 PM
To: Stanley Gilliam <stanley.x.gill...@gsk.com>
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org
Subject: Re: SVN does not trust cert
On Mon, Mar 25, 2024 at 12:26 PM Stanley Gilliam <stanley.x.gill...@gsk.com>
wrote:
>
> Here is the output:
>
> [I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform
> PEM -text -noout unable to load certificate
> 139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
>
>
> [I am root!@uptus060-1:private]# openssl s_client -connect
> hpc.gsk.com:443 -servername hpc.gsk.com -showcerts
> CONNECTED(00000003)
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=20:unable to get local issuer certificate verify
> return:1
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=21:unable to verify the first certificate verify
> return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 -----BEGIN
> CERTIFICATE-----
> MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
> ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
> dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
> aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
> A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
> UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
> BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
> bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
> AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
> W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
> AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
> /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
> 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
> MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
> BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
> HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
> 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
> LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
> ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
> c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
> b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
> NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
> FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
> AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
> SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
> ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
> v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
> RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
> pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
> W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
> O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
> us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
> XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
> RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
> GzKWlw6feJiNivlqBH1QwP39
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_support
> @gsk.com issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2361 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public
> key is 2048 bit Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA
> Session-ID-ctx:
> Master-Key:
> 4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f %.j.E...P..'....
> 0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a ^...............
> 0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1 .......tF.._....
> 0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13 .*...gr].....O..
> 0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a .7..8.......?.:Z
> 0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c ...^15.1c...Uxy,
> 0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51 ..Eqz9..BJG..Y"Q
> 0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af .#.n..5so5...G..
> 0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75 .q._.c.....#...u
> 0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19 ..F.Z{..U.......
> 00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64 ......<c....L..d
> 00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae ~.$....5.9.^..&.
> 00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75 H.....'.(......u
>
> Start Time: 1711383886
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> read:errno=0
The server is misconfigured. Level 0 is the end entity (web server)
certificate. But the web server is not sending the intermediate certificate
called 'GSK Issuing CA 1':
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
There should be a level 1, with a subject of
'/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1'. Something
like:
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
The server _can_ send 'GSK Root CA', but it is not required. The RFC makes
sending the root certificate optional. If the root CA is sent, then it would
look something like:
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
2 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA
The client _must_ trust 'GSK Root CA'. This is your SVN client. That is the
next thing to check once the server configuration is fixed.
Jeff
GSK monitors email communications sent to and from GSK in order to protect GSK,
our employees, customers, suppliers and business partners, from cyber threats
and loss of GSK Information. GSK monitoring is conducted with appropriate
confidentiality controls and in accordance with local laws and after
appropriate consultation.
