[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Certificate verification failed
From: |
Dima Barsky |
Subject: |
[Help-gnutls] Certificate verification failed |
Date: |
Wed, 26 Oct 2005 21:31:53 +0100 |
Hello,
I have a small python application which uses pycurl to
download my bank statements every week. I was using
pycurl built with openssl until recently and the
application worked fine. A few days ago I upgraded the
pycurl and the libcurl packages (they are now built with GnuTLS 1.2.8)
and the application stopped working, it does not accept the bank's
certificate any more. This small script illustrates the problem:
#!/usr/bin/python
import pycurl
c = pycurl.Curl()
c.setopt(c.URL, 'https://www2.net.hsbc.com/')
c.setopt(c.VERBOSE, 1)
c.perform()
Here is the script's output:
* About to connect() to www2.net.hsbc.com port 443
* Trying 205.241.15.110... * connected
* Connected to www2.net.hsbc.com (205.241.15.110) port 443
* found 99 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt
* Closing connection #0
Traceback (most recent call last):
File "test.py", line 6, in ?
c.perform()
pycurl.error: (60, 'server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt')
Initially I thought the problem was either in pycurl or libcurl.
However, when I tried to verify the site's certificate with gnutls-cli
it also failed:
$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt
www2.net.hsbc.com
Processed 99 CA certificate(s).
Resolving 'www2.net.hsbc.com'...
Connecting to '205.241.15.110:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'www2.net.hsbc.com'.
# valid since: Wed May 4 01:00:00 BST 2005
# expires at: Fri May 5 00:59:59 BST 2006
# serial number: 0A:C6:FC:D0:29:5D:8F:82:A3:4F:70:00:21:43:88:B2
# fingerprint: 8C:42:11:CD:D1:AE:AB:9B:73:75:46:BB:C4:9C:D2:5E
# version: #3
# public key algorithm: RSA (1024 bits)
# e [24 bits]: 01:00:01
# m [1032 bits]:
00:BD:2A:31:5C:D6:59:F8:43:BC:A7:DB:B2:FB:06:9C:DA:30:91:F7:C2:CE:2C:86:94:14:FF:8E:C2:6F:88:E8:F5:A5:F8:11:40:CE:2D:F3:F2:12:BF:DB:A0:C8:06:85:1C:41:1F:EA:C0:7C:69:6A:A5:CD:37:74:74:4B:DE:19:CF:43:DA:96:E5:E3:5A:18:F1:4B:EA:CC:F7:42:93:82:8A:63:E8:8B:6C:7B:0B:08:6E:7D:EF:2C:E6:14:CB:02:C6:BE:3D:4C:EA:8D:AD:4E:EF:D4:D3:00:FA:2B:FD:0A:51:66:4B:AA:EE:7E:F1:D6:1E:A0:28:CF:60:CE:8E:83:8B
# Subject's DN: C=US,ST=New Jersey,L=Jersey City,O=hsbc.com\,
inc.,OU=ny02www2-2005,OU=Terms of use at www.verisign.com/rpa
(c)00,CN=www2.net.hsbc.com
# Issuer's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
- Certificate[1] info:
# valid since: Thu Apr 17 01:00:00 BST 1997
# expires at: Tue Oct 25 00:59:59 BST 2011
# serial number: 25:4B:8A:85:38:42:CC:E3:58:F8:C5:DD:AE:22:6E:A4
# fingerprint: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
# version: #3
# public key algorithm: RSA (1024 bits)
# e [24 bits]: 01:00:01
# m [1032 bits]:
00:D8:82:80:E8:D6:19:02:7D:1F:85:18:39:25:A2:65:2B:E1:BF:D4:05:D3:BC:E6:36:3B:AA:F0:4C:6C:5B:B6:E7:AA:3C:73:45:55:B2:F1:BD:EA:97:42:ED:9A:34:0A:15:D4:A9:5C:F5:40:25:DD:D9:07:C1:32:B2:75:6C:C4:CA:BB:A3:FE:56:27:71:43:AA:63:F5:30:3E:93:28:E5:FA:F1:09:3B:F3:B7:4D:4E:39:F7:5C:49:5A:B8:C1:1D:D3:B2:8A:FE:70:30:95:42:CB:FE:2B:51:8B:5A:3C:3A:F9:22:4F:90:B2:02:A7:53:9C:4F:34:E7:AB:04:B2:7B:6F
# Subject's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
- Certificate[2] info:
# valid since: Mon Jan 29 00:00:00 GMT 1996
# expires at: Wed Aug 2 00:59:59 BST 2028
# serial number: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
# fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
# version: #1
# public key algorithm: RSA (1024 bits)
# e [24 bits]: 01:00:01
# m [1032 bits]:
00:C9:5C:59:9E:F2:1B:8A:01:14:B4:10:DF:04:40:DB:E3:57:AF:6A:45:40:8F:84:0C:0B:D1:33:D9:D9:11:CF:EE:02:58:1F:25:F7:2A:A8:44:05:AA:EC:03:1F:78:7F:9E:93:B9:9A:00:AA:23:7D:D6:AC:85:A2:63:45:C7:72:27:CC:F4:4C:C6:75:71:D2:39:EF:4F:42:F0:75:DF:0A:90:C6:8E:20:6F:98:0F:F8:AC:23:5F:70:29:36:A4:C9:86:E7:B1:9A:20:CB:53:A5:85:E7:3D:BE:7D:9A:FE:24:45:33:DC:76:15:ED:0F:A2:71:64:4C:65:2E:81:68:45:A7
# Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: MD5
- Compression: NULL
*** Verifying server certificate failed...
I don't see anything wrong with this certificate. Both mozilla-firefox
and openssl accept it without any problem. Is it a bug in gnutls, or
am I doing something wrong?
Regards,
Dima.
- [Help-gnutls] Certificate verification failed,
Dima Barsky <=
- Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Nikos Mavrogiannopoulos, 2005/10/26
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- Re: [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28