IEでは警告が出ないが Firefox では警告が出るサイト
mixiのMCPコミュで、IE以外のブラウザだと警告が出るのはMSが「オレオレ証明書を提供してるからでは」疑惑の話が出たので
調査してみた。
おそらくIISサーバに中間証明書をインストールしてないために、SSLネゴシエーションで中間証明書を提供してくれないのが原因。
IEで警告が出ないのは、IEの証明書ストア内に必要な中間証明書があらかじめインストールされてるから。
SSLネゴシエーションにおける中間証明書の提供状況は、openssl s_client コマンドを利用して調査した。
openssl s_client -connect mcp.microsoft.com:443 -CAfile /usr/local/share/curl/curl-ca-bundle.crt -verify 5 -showcerts
の結果
verify depth is 5 CONNECTED(00000004) depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority -----BEGIN CERTIFICATE----- MIIFijCCBHKgAwIBAgIKH0+lrQACAAAyUDANBgkqhkiG9w0BAQUFADCBizETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDUwNjIy MTkzMjM1WhcNMDYwNjIyMTkzMjM1WjBoMQswCQYDVQQGEwJVUzELMAkGA1UECBMC V0ExEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAoTAk1TMREwDwYDVQQLEwhtc2Nv bW9wczEaMBgGA1UEAxMRbWNwLm1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAN6XPA9bQnOe2mtGhXlodI/dCLW6FCG4GJLq4Mtnt2ossYOT X30e6xVJaqYkFrzbPAbbf/EPkwE1d3NOgn5tVx45XulsdcC2CE6SRa5lU+XP2c0H N+xwxboDWnJ54/Ev9tNV9xXhJj5rtRbYfl6vAMfYMLmpirsNktHlY+aPE1hDAgMB AAGjggKUMIICkDALBgNVHQ8EBAMCBaAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG 9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0G A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUoPfQwnjes1n6 W7UHS9byDGwvUZAwHwYDVR0jBBgwFoAU3ywh0+MZc7xLYRMcYOpLveauIEQwga8G A1UdHwSBpzCBpDCBoaCBnqCBm4ZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3Br aS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhv cml0eSgyKS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1 cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoMikuY3JsMIG/BggrBgEFBQcBAQSBsjCB rzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2Nv cnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDIpLmNy dDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNl Y3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSgyKS5jcnQwPwYJKwYBBAGCNxUHBDIw MAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIB BTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqG SIb3DQEBBQUAA4IBAQCkkWOj0my0HCbOJLtfE8FNfOZZeHDkDAN9/0gwvqeSGxBH N4isuwWh15pP7p38QdimY/o1DUCJPeB8dSxCAk/IbxYnAL/CcagMDSkpsBbpUPCf xwkuionquQb8dUoyZt3UFlo/f4IHryGVv/dwnkawREx1jgZ15+kOYezDilZ9T8V2 JQ/KC004C+aJi2TPDX5IJ91u7SU4Py9XF0/Ry0/OCHy8Tnc98qbIBuFFuvjz2H4V 0rPeY55czcWQqEPknlCg+JC0+Bh1h9ApedqXfp/BxsGudikMAWLTevpxFLiflC5c Y32bjbdCfo8ZyUIQmWK44ARO+YYWoGdMdfdtdCye -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=WA/L=Redmond/O=MS/OU=mscomops/CN=mcp.microsoft.com issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority --- No client certificate CA names sent --- SSL handshake has read 1558 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: (略) Session-ID-ctx: Master-Key: (略) Key-Arg : None Start Time: 1132073332 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE
この中のCERTIFICATE部分を openssl x509 -text に渡すと、以下のように発行元の証明書のありかが含まれていることが分かる。
Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20Secure%20Server%20Authority(2).crt CA Issuers - URI:http://corppki/aia/Microsoft%20Secure%20Server%20Authority(2).crt
1つ目の方の証明書を実際に取得して、もう一周発行元の証明書のありかを調べて取得する作業をすると
GTE Cybertrust Root CA にたどりつくので、証明書チェーンを検証することは可能だが、
Firefox等のブラウザはこの Authority Information Access を利用して証明書チェーンを自動検証する仕組みを
持っていないために警告を発することになるようだ。IEも多分「この経路での自動検証」をする仕組みは持っていない。
ちなみに同じ GTE CyberTrust Global Root を利用している
networksolutions のサイトに接続してみると、
以下のように中間証明書を一緒に送ってくれる。(BEGIN CERTIFICATE〜END CERTIFICATE のかたまりが2つあり、2つ目が中間証明書)
通常の GTE CyberTrust Global Root を元にしているSSLサイトはこのように設定されているのが普通と思われる。
openssl s_client -connect www.netsolssl.com:443 -CAfile /usr/local/share/curl/curl-ca-bundle.crt -verify 5 -showcerts
verify depth is 5 CONNECTED(00000004) depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root verify return:1 depth=1 /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority verify return:1 depth=0 /C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com verify return:1 --- Certificate chain 0 s:/C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority -----BEGIN CERTIFICATE----- MIIEqzCCA5OgAwIBAgIRALotrfhGiAIK4fzzoXPjZDcwDQYJKoZIhvcNAQEFBQAw YjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D LjEwMC4GA1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9y aXR5MB4XDTA1MDIyNDAwMDAwMFoXDTA4MDIyNDIzNTk1OVowgdYxCzAJBgNVBAYT AlVTMQ4wDAYDVQQREwUyMDE3MTERMA8GA1UECBMIVmlyZ2luaWExEDAOBgNVBAcT B0hlcm5kb24xIDAeBgNVBAkTFzEzMjAwIFdvb2RsYW5kIFBhcmsgUmQuMR8wHQYD VQQKExZOZXR3b3JrIFNvbHV0aW9ucywgTExDMRIwEAYDVQQLEwlSZWdpc3RyYXIx ITAfBgNVBAsTGFNlY3VyZSBMaW5rIFNTTCBXaWxkY2FyZDEYMBYGA1UEAxQPKi5u ZXRzb2xzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD4UoSqupz1 qtEyIbYCYowbxTbyCKZrStCClK4CSqnZwH4eUSMg1UMPJ5hbEz3YVKTSF/yVOSyP nKSZb2TPCL9hy91d2QwQP+MaXcF4jxuRA9UYfYSRHPx9quzXgULWk6reEW4eH7gl CZgCiVsAtCdO2o1bMulJ+Pdx7Ar1C8lITwIDAQABo4IBaTCCAWUwHwYDVR0jBBgw FoAUAbmYlDcvUo5mlZdgiFn32IWb94cwHQYDVR0OBBYEFAKJEzI8YuA2siB1UnXC AMCZz3KYMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBZBgNVHSAEUjBQME4GDCsGAQQBhg4BAgEDATA+ MDwGCCsGAQUFBwIBFjBodHRwOi8vd3d3Lm5ldHNvbHNzbC5jb20vcmVwb3NpdG9y eS9yZWx5aW5ncGFydHkweAYDVR0fBHEwbzA1oDOgMYYvaHR0cDovL2NybC5uZXRz b2xzc2wuY29tL05ldHdvcmtTb2x1dGlvbnNDQS5jcmwwNqA0oDKGMGh0dHA6Ly9j cmwyLm5ldHNvbHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc0NBLmNybDARBglghkgB hvhCAQEEBAMCBsAwDQYJKoZIhvcNAQEFBQADggEBAI/1TQDIUODqcyFcNVS0D+e4 AyD+bclSZlirYyPQgEQcn958Hsn2gzbmRXMcCZyM6nLu5xWZiEfWQZqYncfAKS7G 5+07+b/Ng/efdiSBVohyVDpeJVlhq1rJ0FIICPxZOBMht1tVMJ5vG7AlsLQbpaCK JbJgFCUnkKVsBt0C6QlMkeMjhWl/poWDs2XDNMu1Dn+iU8V7BoySxsThx1Gh8Stm sdvm9jwgX2c4p3hm5S1QpVPH5GGlHZOpY6lbMlVkEWe1qNnFxoW6o+ExUOdF6T2P lLVYPTleIV+w67dx1hQwVfpS/KJGEwjXgxcoDoQpKjy16LwrwxPD9Wa/rtWTg9s= -----END CERTIFICATE----- 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root -----BEGIN CERTIFICATE----- MIIEkDCCA/mgAwIBAgIEBAADxTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds b2JhbCBSb290MB4XDTA1MDIwODE5MTcwMFoXDTEyMDIwODIzNTkwMFowYjELMAkG A1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEwMC4G A1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy62ek00PKRG9e0xcFYe1uFMJ SGhRtkiY9sqYZaIEuaWpngf7vuUJd7ZoUuO6lEQuYI18QWWRMZ9sJUV1I1qN2csv OKNsI8MA5dFSH8cq+ur+dCvprS3xll+MBFjCAw9ArcatppLD1L9YUNBLMWjwXIDO G5K17tMbeNA2dQu4uCAqa2R7nJPaBhssGH7ZcgsnxFWy1vMla3A4nzd99/C7rwJI EiDtM1GFPl7cv1s2bBUnqHIoEzH9nWkAWBJATcqkxH189iu4bFxv4TQfeEq1CIF0 qmSOUBKNu2JKsjYC2fXlWTTjJ0oJr77Y02tZzIR11kBu6Zsyt+8/cRp0d4UvywID AQABo4IBujCCAbYwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMt dHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUAbmY lDcvUo5mlZdgiFn32IWb94cwgZ0GA1UdIASBlTCBkjBIBgkrBgEEAbE+AQAwOzA5 BggrBgEFBQcCARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5p Um9vdC5odG1sMEYGDCsGAQQBhg4BAgEDATA2MDQGCCsGAQUFBwIBFihodHRwczov L3d3dy5uZXRzb2xzc2wuY29tL3JlcG9zaXRvcnkvQ1BTMIGJBgNVHSMEgYEwf6F5 pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUG A1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpH VEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwDgYDVR0PAQH/BAQDAgEGMBIG A1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAfEk2kSeNpHd6WV9C KQFPt782VaUow9rXZRFxvs68pOwd8ktobk2ITkTt8LIBRxMERxATH4JFB1HxWJQ9 6uJLVPn5TNrQbDwyDQiFJDxQcODMMlOTbq6fH3bk3E+nK1z2Ow5aerOu+Ga4l1eT UpSTSVSzHX3qMgtALXAfqCUFvoc= -----END CERTIFICATE----- --- Server certificate subject=/C=US/2.5.4.17=20171/ST=Virginia/L=Herndon/2.5.4.9=13200 Woodland Park Rd./O=Network Solutions, LLC/OU=Registrar/OU=Secure Link SSL Wildcard/CN=*.netsolssl.com issuer=/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 2930 bytes and written 332 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: (略) Session-ID-ctx: Master-Key: (略) Key-Arg : None Start Time: 1132073803 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
…ん、netsolssl の暗号化ってただのDES? マジ?
Hi,Do you need digital signages, advertising displays, digital sign, advertisement displays and advertising players? Please go Here:www.amberdigital.com.hk(Amberdigital).we have explored and developed the international market with professionalism. We have built a widespread marketing network, and set up a capable management team dedicated to provide beyond-expectation services to our customers.
amberdigital Contact Us
website:www.amberdigital.com.hk
alibaba:amberdigital.en.alibaba.com[cbdgccfdbadhfj]
[…] ■中間証明書が通信上来るかどうかを確認する参考URL このページが大変参考になりました。 Certificate chain 0 […]