IEでは警告が出ないが Firefox では警告が出るサイト
mixiのMCPコミュで、IE以外のブラウザだと警告が出るのはMSが「オレオレ証明書を提供してるからでは」疑惑の話が出たので
調査してみた。
おそらくIISサーバに中間証明書をインストールしてないために、SSLネゴシエーションで中間証明書を提供してくれないのが原因。
IEで警告が出ないのは、IEの証明書ストア内に必要な中間証明書があらかじめインストールされてるから。
SSLネゴシエーションにおける中間証明書の提供状況は、openssl s_client コマンドを利用して調査した。
openssl s_client -connect mcp.microsoft.com:443 -CAfile /usr/local/share/curl/curl-ca-bundle.crt -verify 5 -showcerts の結果
verify depth is 5
CONNECTED(00000004)
depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
-----BEGIN CERTIFICATE-----
MIIFijCCBHKgAwIBAgIKH0+lrQACAAAyUDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDUwNjIy
MTkzMjM1WhcNMDYwNjIyMTkzMjM1WjBoMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAoTAk1TMREwDwYDVQQLEwhtc2Nv
bW9wczEaMBgGA1UEAxMRbWNwLm1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAN6XPA9bQnOe2mtGhXlodI/dCLW6FCG4GJLq4Mtnt2ossYOT
X30e6xVJaqYkFrzbPAbbf/EPkwE1d3NOgn5tVx45XulsdcC2CE6SRa5lU+XP2c0H
N+xwxboDWnJ54/Ev9tNV9xXhJj5rtRbYfl6vAMfYMLmpirsNktHlY+aPE1hDAgMB
AAGjggKUMIICkDALBgNVHQ8EBAMCBaAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG
9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUoPfQwnjes1n6
W7UHS9byDGwvUZAwHwYDVR0jBBgwFoAU3ywh0+MZc7xLYRMcYOpLveauIEQwga8G
A1UdHwSBpzCBpDCBoaCBnqCBm4ZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3Br
aS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhv
cml0eSgyKS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1
cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoMikuY3JsMIG/BggrBgEFBQcBAQSBsjCB
rzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2Nv
cnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDIpLmNy
dDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNl
Y3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSgyKS5jcnQwPwYJKwYBBAGCNxUHBDIw
MAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIB
BTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqG
SIb3DQEBBQUAA4IBAQCkkWOj0my0HCbOJLtfE8FNfOZZeHDkDAN9/0gwvqeSGxBH
N4isuwWh15pP7p38QdimY/o1DUCJPeB8dSxCAk/IbxYnAL/CcagMDSkpsBbpUPCf
xwkuionquQb8dUoyZt3UFlo/f4IHryGVv/dwnkawREx1jgZ15+kOYezDilZ9T8V2
JQ/KC004C+aJi2TPDX5IJ91u7SU4Py9XF0/Ry0/OCHy8Tnc98qbIBuFFuvjz2H4V
0rPeY55czcWQqEPknlCg+JC0+Bh1h9ApedqXfp/BxsGudikMAWLTevpxFLiflC5c
Y32bjbdCfo8ZyUIQmWK44ARO+YYWoGdMdfdtdCye
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
---
No client certificate CA names sent
---
SSL handshake has read 1558 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: (略)
Session-ID-ctx:
Master-Key: (略)
Key-Arg : None
Start Time: 1132073332
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
この中のCERTIFICATE部分を openssl x509 -text に渡すと、以下のように発行元の証明書のありかが含まれていることが分かる。
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20Secure%20Server%20Authority(2).crt
CA Issuers - URI:http://corppki/aia/Microsoft%20Secure%20Server%20Authority(2).crt
1つ目の方の証明書を実際に取得して、もう一周発行元の証明書のありかを調べて取得する作業をすると
GTE Cybertrust Root CA にたどりつくので、証明書チェーンを検証することは可能だが、
Firefox等のブラウザはこの Authority Information Access を利用して証明書チェーンを自動検証する仕組みを
持っていないために警告を発することになるようだ。IEも多分「この経路での自動検証」をする仕組みは持っていない。
ちなみに同じ GTE CyberTrust Global Root を利用している
networksolutions のサイトに接続してみると、
以下のように中間証明書を一緒に送ってくれる。(BEGIN CERTIFICATE〜END CERTIFICATE のかたまりが2つあり、2つ目が中間証明書)
通常の GTE CyberTrust Global Root を元にしているSSLサイトはこのように設定されているのが普通と思われる。
openssl s_client -connect www.netsolssl.com:443 -CAfile /usr/local/share/curl/curl-ca-bundle.crt -verify 5 -showcerts
verify depth is 5
CONNECTED(00000004)
depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=1 /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
verify return:1
depth=0 /C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com
verify return:1
---
Certificate chain
0 s:/C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com
i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
-----BEGIN CERTIFICATE-----
MIIEqzCCA5OgAwIBAgIRALotrfhGiAIK4fzzoXPjZDcwDQYJKoZIhvcNAQEFBQAw
YjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D
LjEwMC4GA1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MB4XDTA1MDIyNDAwMDAwMFoXDTA4MDIyNDIzNTk1OVowgdYxCzAJBgNVBAYT
AlVTMQ4wDAYDVQQREwUyMDE3MTERMA8GA1UECBMIVmlyZ2luaWExEDAOBgNVBAcT
B0hlcm5kb24xIDAeBgNVBAkTFzEzMjAwIFdvb2RsYW5kIFBhcmsgUmQuMR8wHQYD
VQQKExZOZXR3b3JrIFNvbHV0aW9ucywgTExDMRIwEAYDVQQLEwlSZWdpc3RyYXIx
ITAfBgNVBAsTGFNlY3VyZSBMaW5rIFNTTCBXaWxkY2FyZDEYMBYGA1UEAxQPKi5u
ZXRzb2xzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD4UoSqupz1
qtEyIbYCYowbxTbyCKZrStCClK4CSqnZwH4eUSMg1UMPJ5hbEz3YVKTSF/yVOSyP
nKSZb2TPCL9hy91d2QwQP+MaXcF4jxuRA9UYfYSRHPx9quzXgULWk6reEW4eH7gl
CZgCiVsAtCdO2o1bMulJ+Pdx7Ar1C8lITwIDAQABo4IBaTCCAWUwHwYDVR0jBBgw
FoAUAbmYlDcvUo5mlZdgiFn32IWb94cwHQYDVR0OBBYEFAKJEzI8YuA2siB1UnXC
AMCZz3KYMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBZBgNVHSAEUjBQME4GDCsGAQQBhg4BAgEDATA+
MDwGCCsGAQUFBwIBFjBodHRwOi8vd3d3Lm5ldHNvbHNzbC5jb20vcmVwb3NpdG9y
eS9yZWx5aW5ncGFydHkweAYDVR0fBHEwbzA1oDOgMYYvaHR0cDovL2NybC5uZXRz
b2xzc2wuY29tL05ldHdvcmtTb2x1dGlvbnNDQS5jcmwwNqA0oDKGMGh0dHA6Ly9j
cmwyLm5ldHNvbHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc0NBLmNybDARBglghkgB
hvhCAQEEBAMCBsAwDQYJKoZIhvcNAQEFBQADggEBAI/1TQDIUODqcyFcNVS0D+e4
AyD+bclSZlirYyPQgEQcn958Hsn2gzbmRXMcCZyM6nLu5xWZiEfWQZqYncfAKS7G
5+07+b/Ng/efdiSBVohyVDpeJVlhq1rJ0FIICPxZOBMht1tVMJ5vG7AlsLQbpaCK
JbJgFCUnkKVsBt0C6QlMkeMjhWl/poWDs2XDNMu1Dn+iU8V7BoySxsThx1Gh8Stm
sdvm9jwgX2c4p3hm5S1QpVPH5GGlHZOpY6lbMlVkEWe1qNnFxoW6o+ExUOdF6T2P
lLVYPTleIV+w67dx1hQwVfpS/KJGEwjXgxcoDoQpKjy16LwrwxPD9Wa/rtWTg9s=
-----END CERTIFICATE-----
1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
-----BEGIN CERTIFICATE-----
MIIEkDCCA/mgAwIBAgIEBAADxTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA1MDIwODE5MTcwMFoXDTEyMDIwODIzNTkwMFowYjELMAkG
A1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEwMC4G
A1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy62ek00PKRG9e0xcFYe1uFMJ
SGhRtkiY9sqYZaIEuaWpngf7vuUJd7ZoUuO6lEQuYI18QWWRMZ9sJUV1I1qN2csv
OKNsI8MA5dFSH8cq+ur+dCvprS3xll+MBFjCAw9ArcatppLD1L9YUNBLMWjwXIDO
G5K17tMbeNA2dQu4uCAqa2R7nJPaBhssGH7ZcgsnxFWy1vMla3A4nzd99/C7rwJI
EiDtM1GFPl7cv1s2bBUnqHIoEzH9nWkAWBJATcqkxH189iu4bFxv4TQfeEq1CIF0
qmSOUBKNu2JKsjYC2fXlWTTjJ0oJr77Y02tZzIR11kBu6Zsyt+8/cRp0d4UvywID
AQABo4IBujCCAbYwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMt
dHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUAbmY
lDcvUo5mlZdgiFn32IWb94cwgZ0GA1UdIASBlTCBkjBIBgkrBgEEAbE+AQAwOzA5
BggrBgEFBQcCARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5p
Um9vdC5odG1sMEYGDCsGAQQBhg4BAgEDATA2MDQGCCsGAQUFBwIBFihodHRwczov
L3d3dy5uZXRzb2xzc2wuY29tL3JlcG9zaXRvcnkvQ1BTMIGJBgNVHSMEgYEwf6F5
pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUG
A1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpH
VEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwDgYDVR0PAQH/BAQDAgEGMBIG
A1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAfEk2kSeNpHd6WV9C
KQFPt782VaUow9rXZRFxvs68pOwd8ktobk2ITkTt8LIBRxMERxATH4JFB1HxWJQ9
6uJLVPn5TNrQbDwyDQiFJDxQcODMMlOTbq6fH3bk3E+nK1z2Ow5aerOu+Ga4l1eT
UpSTSVSzHX3qMgtALXAfqCUFvoc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com
issuer=/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2930 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: (略)
Session-ID-ctx:
Master-Key: (略)
Key-Arg : None
Start Time: 1132073803
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
…ん、netsolssl の暗号化ってただのDES? マジ?
Mimori's Algorithms Press 
Hi,Do you need digital signages, advertising displays, digital sign, advertisement displays and advertising players? Please go Here:www.amberdigital.com.hk(Amberdigital).we have explored and developed the international market with professionalism. We have built a widespread marketing network, and set up a capable management team dedicated to provide beyond-expectation services to our customers.
amberdigital Contact Us
website:www.amberdigital.com.hk
alibaba:amberdigital.en.alibaba.com[cbdgccfdbadhfj]
[…] ■中間証明書が通信上来るかどうかを確認する参考URL このページが大変参考になりました。 Certificate chain 0 […]