Experimental Physics and
Industrial Control System

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024	Index	1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024
<== Date ==>		<== Thread ==>

Subject:	Re: Problem with NSLS2 Debian repository?
From:	"Konrad, Martin via Tech-talk" <[email protected]>
To:	"[email protected]" <[email protected]>, "'Flaks, Leonid'" <[email protected]>, "[email protected]" <[email protected]>
Cc:	"tech-talk \([email protected]\)" <[email protected]>
Date:	Thu, 2 May 2019 13:59:42 +0000

Hi Leon,
> This does look a bit tricky.  On our systems (RHEL7), the certificate
> is trusted by firefox, but not by curl.
A quick check revealed that BNL's web server isn't configured correctly.
It is providing it's own certificate but not the chain of certificates
up to the root certificate. If you happen to have the InCommon RSA
Server CA installed on your client it will work anyway (that seems to be
the case with Firefox which comes with its own certificate store) but if
you use other tools it might not work.

Please ask your sysadmin to fix this. I have attached the debugging
output of OpenSSL of the BNL server along with the one of a correctly
configured server (note the different "Certificate chain" sections). If
you have difficulties convincing them that something is wrong point them
to [1] which also reports the issues with the certificate chain.

Cheers,

Martin

[1] https://www.ssllabs.com/ssltest/analyze.html?d=epics.nsls2.bnl.gov

-- 
Martin Konrad
Facility for Rare Isotope Beams
Michigan State University
640 South Shaw Lane
East Lansing, MI 48824-1321, USA
Tel. 517-908-7253
Email: [email protected]

$ openssl s_client -host ci.frib.msu.edu -port 443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 48824, ST = MI, L = East Lansing, street = 1355 Bogue St, O = Michigan State University, OU = NSCL and FRIB, CN = ci.frib.msu.edu
verify return:1
---
Certificate chain
 0 s:C = US, postalCode = 48824, ST = MI, L = East Lansing, street = 1355 Bogue St, O = Michigan State University, OU = NSCL and FRIB, CN = ci.frib.msu.edu
   i:C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
 1 s:C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG9zCCBd+gAwIBAgIRAKa4GJggiNCe1yprq7TTFs0wDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTkwMzE4MDAwMDAwWhcNMjEwMzE3
MjM1OTU5WjCBrzELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTQ4ODI0MQswCQYDVQQI
EwJNSTEVMBMGA1UEBxMMRWFzdCBMYW5zaW5nMRYwFAYDVQQJEw0xMzU1IEJvZ3Vl
IFN0MSIwIAYDVQQKExlNaWNoaWdhbiBTdGF0ZSBVbml2ZXJzaXR5MRYwFAYDVQQL
Ew1OU0NMIGFuZCBGUklCMRgwFgYDVQQDEw9jaS5mcmliLm1zdS5lZHUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7FnTtiOqRb/DVlzsnhi4zg7gQw71o
EKiUs+eGZ1x5SmqmffAqtfzr+p1yPHc3MK2VtbvyINNeY1IybUxmumnp/Ad8nQl1
2EI3w+xEp47+3Q+UONJ85A1zYKhO4Q1CPsbedpBntloMnmTzpaHnxnCsSZ/aXaWu
VEmBQBZjejeXsldArVwcvDkFrbt5mF6AVqAbCrcsuzvpvt4W2LLES4/Hkm7Ty4UG
tadmTFmNJpd5IcaT1gR545An/QNPK2rHGBOyFpw044nIwRuz3hH1ihQWGb6FYw+n
FBpt9IllC3HE050FDzh6iX+P+jNdYPyXBBdrx/rY5Io5Pobuct8eh4gBAgMBAAGj
ggNEMIIDQDAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4E
FgQUxi5qMJmohgcdTHGOORRFtepKl1owDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4w
UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t
bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQG
A1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNv
bW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKG
Mmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIu
Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBoGA1Ud
EQQTMBGCD2NpLmZyaWIubXN1LmVkdTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFn
AHUAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpkj3vOwAABAMA
RjBEAiAA9MVc3BvZ1L9kjNESYrYp1q/bXG7WBwD+ZTRVYHm+ZwIgM1TrErCrAet2
epiBqbqW4M+Y+luPZOpa2NJw/u1ORNgAdgBElGUusO7Or8RAB9io/ijA2uaCvtjL
MbU/0zOWtbaBqAAAAWmSPe+MAAAEAwBHMEUCIDAWKxzNaRcZUrrJx4qUkGfrqD8M
sadV2ZHwR3uj0Vy5AiEAo0fGzFweJaKDgZQV2fF6kggcEVfBRI8b5LTvO3zCaNcA
dgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAWmSPe+JAAAEAwBH
MEUCIEzbf5v8FCBC/iPdEeQujJAf/I3JG/CYpaDEbYI1jICNAiEA3rK2Ln8hzif+
wA2eeDcuBJTud5dLuxI3mQuQVwRksH4wDQYJKoZIhvcNAQELBQADggEBAD79Q3tA
AkZRS/PJl2HoblogKxrgVvuTz06GS6esDAWCj/P0C2YAGWqQYOobFlVZKn+kJx28
fgl6/U8xp4q9NTNmkJUAxf9w+LPce4S9zCB+0VTGJ5wyd/g1xmnrKIl8yqBz75Ct
95wK4SHoLyAvkkmk7OuO2LSncfUkMVzHLh1ALlVkQmED2zpqeIsj/tybMVS3WYdB
/FBb4oMKEfHUisA0vC4Bei3g+kKjqLXbE/2MRaS4+r35g1JNwHLP/JnzOU7+WmC/
icx23y/jgIN84rMUA6J6PhaJYIC78UkT3JEvpitxNhRLihUIe5ykHxDqAwnl3pe0
38hq9RXMyzrYCTI=
-----END CERTIFICATE-----
subject=C = US, postalCode = 48824, ST = MI, L = East Lansing, street = 1355 Bogue St, O = Michigan State University, OU = NSCL and FRIB, CN = ci.frib.msu.edu

issuer=C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5277 bytes and written 499 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 5CCAF5A8B6C08A0F9B66F7401771CE2D6934CFF7DF9E18FFFD0B868B549AF96D
    Session-ID-ctx: 
    Master-Key: 65793BD417A6F51097D81AFDBC31C8B27DAAA4FF4360F54A9A1E8B867A0A117B812ACB4AB4FE0A8553ADD1632C0FDF7E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1556805032
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

$ openssl s_client -host epics.nsls2.bnl.gov -port 443
CONNECTED(00000003)
depth=0 C = US, postalCode = 11973-5000, ST = New York, L = Upton, street = 53 Bell Avenue, O = Brookhaven National Laboratory, OU = ITD_App_Hosting, CN = epics.nsls2.bnl.gov
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 11973-5000, ST = New York, L = Upton, street = 53 Bell Avenue, O = Brookhaven National Laboratory, OU = ITD_App_Hosting, CN = epics.nsls2.bnl.gov
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = US, postalCode = 11973-5000, ST = New York, L = Upton, street = 53 Bell Avenue, O = Brookhaven National Laboratory, OU = ITD_App_Hosting, CN = epics.nsls2.bnl.gov
   i:C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHDTCCBfWgAwIBAgIRANPtCT4FJPHxPDaCQ50MYngwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTkwNDA1MDAwMDAwWhcNMjEwNDA0
MjM1OTU5WjCBvzELMAkGA1UEBhMCVVMxEzARBgNVBBETCjExOTczLTUwMDAxETAP
BgNVBAgTCE5ldyBZb3JrMQ4wDAYDVQQHEwVVcHRvbjEXMBUGA1UECRMONTMgQmVs
bCBBdmVudWUxJzAlBgNVBAoTHkJyb29raGF2ZW4gTmF0aW9uYWwgTGFib3JhdG9y
eTEYMBYGA1UECwwPSVREX0FwcF9Ib3N0aW5nMRwwGgYDVQQDExNlcGljcy5uc2xz
Mi5ibmwuZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwf+7QX1
RtwDnm8XnKUgQ7lfJbI34t9QD9aRJ64MfZ++cZ/NnrX4t9RJ7FoSM+Zu/rQdKfqS
JmaH0V419Pfy4Wy4qH7qcRPu3zYgVKrZ6juKHdugq2HcHoTNa9cw7hZ3TdFJ2qr/
ZwUr3d3o+al0E9yEzLca10cuz4ge2EX5flzqYBkF8Hhmuul035lAW/FeaROlEFlU
XVmaITJ5M20btY6NBOU7StcUZXtRJQpYq4+A9MTv+EUkkD/feimNvycLEU8HruBs
M3S3sYqV7J4JZuwCRVoIAB9RPgsxaQyxVBjJ5w5HgcOn0od9ryQLoniwGQt10uHp
8jDdxlLqQ4e+HQIDAQABo4IDSjCCA0YwHwYDVR0jBBgwFoAUHgWjd49sluJbh0um
tIascQAM5zgwHQYDVR0OBBYEFLQiEyNRd2EHMxVEMsK7PZXYj0olMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBnBgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBCMEAGCCsGAQUFBwIBFjRo
dHRwczovL3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBvc2l0b3J5L2Nwc19zc2wu
cGRmMAgGBmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmluY29t
bW9uLXJzYS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5jcmwwdQYIKwYBBQUHAQEE
aTBnMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vSW5Db21t
b25SU0FTZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTAeBgNVHREEFzAVghNlcGljcy5uc2xzMi5ibmwuZ292MIIBfwYK
KwYBBAHWeQIEAgSCAW8EggFrAWkAdwC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ
lmQ2jh7RhQAAAWnt9qzzAAAEAwBIMEYCIQDX05XYuwPfGjpSY3l2dA7MRIgSFNue
/xRZsP/aaziaXwIhANjfxhfMg4bjoock3MCB/yh1EQ3D/9Q9RJHzVJXvEyTaAHUA
RJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFp7fatDQAABAMARjBE
AiB5AvJipqDmVthOYV4jZlhQdaBxNyky0qQiQhV2BO49JQIgULUD3QDjmPGeWawa
mgAtdX4O7YTVTRyPUBIMiphbbzsAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAWnt9q0hAAAEAwBIMEYCIQCoHG9zTAu2bvgKgL/JRGFiTinFVhtF
U9rRfxS/g+bngAIhAIiM3qS/TtF3w2PTxJofTyyCQ+X6H/LbxDFj9/bkkFLaMA0G
CSqGSIb3DQEBCwUAA4IBAQABP24wt/cBkNTaO2Q8LQK9uYb1xUgxOVF/hykOEmTz
PmRiq76a6hZws0zyEilwr9L+9ha0sHp8iqnadoPKJ0cDvcBeVcWCFMp6WMqzB59a
5QL/3ht4T6PWoKMf6BP7aF5NMrhgpN2OyND71uTTdu81cgNDc6GQai5qkgSXb2AX
FEoTpb6PfeEWtxE5U8ny1/cldI7/ummJXE27dmLyfJmx56daIhp35Zm0CgBGiDdn
elR2v2v1PftBXJjZ3iTnru8aYRDBykR5sgdIa9HyN0R4kgyAozDONTlgbIe8yRn9
frBO3gUemxFwyIAY+6IQIjgdoZPdfnhU/pEuun5fCcaJ
-----END CERTIFICATE-----
subject=C = US, postalCode = 11973-5000, ST = New York, L = Upton, street = 53 Bell Avenue, O = Brookhaven National Laboratory, OU = ITD_App_Hosting, CN = epics.nsls2.bnl.gov

issuer=C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA

---
No client certificate CA names sent
---
SSL handshake has read 2157 bytes and written 663 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: 43C244059C9FC8B1EF09457B2612D4D554DF5A1E6101FEB22CF38A443081892E
    Session-ID-ctx: 
    Master-Key: 7E63DD13B86079C30070092A473316DE2ED12F51A0A35772A0861220F32149F346C5E06EEBEF6D3D0BD386B2881F397C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 06 c2 bf aa 78 f3 79 95-7c c5 c8 9a 49 4c 5a aa   ....x.y.|...ILZ.
    0010 - 02 87 df 09 ff 04 8b 1f-02 3a 83 6f 91 d7 b1 7b   .........:.o...{
    0020 - 47 17 d7 b3 81 52 b2 72-39 af 2a 6a ec 41 83 e7   G....R.r9.*j.A..
    0030 - 4e dc b3 5a ae e2 6f c9-be a8 d0 c0 f3 f4 8b 24   N..Z..o........$
    0040 - 73 d3 b2 21 73 ed dc 5f-9b f0 d9 c4 c7 31 73 85   s..!s.._.....1s.
    0050 - 76 83 44 24 0f 8e a1 e4-2a fd 8b 02 e1 ab cc 98   v.D$....*.......
    0060 - 8e d5 4a 6e db d1 e0 c0-95 dd 47 38 f6 47 fe f7   ..Jn......G8.G..
    0070 - c8 85 53 02 6f b0 e1 9b-2e a2 87 e9 4a 8b 46 87   ..S.o.......J.F.
    0080 - 03 6d de 1d 38 d4 73 e5-39 99 db e6 bb 14 ae 1b   .m..8.s.9.......
    0090 - 6f 72 7a 21 68 63 bf 3b-79 8a b4 28 1d b0 f5 d6   orz!hc.;y..(....
    00a0 - e0 2e 2d 28 43 31 06 12-fc 0e fd 7e 26 c3 37 40   ..-(C1.....~&.7@

    Start Time: 1556805089
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

Replies:: Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk

References:: Problem with NSLS2 Debian repository? Mark Rivers via Tech-talk; Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk; RE: Problem with NSLS2 Debian repository? Mark Rivers via Tech-talk; Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk; RE: Problem with NSLS2 Debian repository? tom.cobb--- via Tech-talk; Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk

Navigate by Date:: Prev: RE: Problem with NSLS2 Debian repository? michael.abbott--- via Tech-talk; Next: Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024
Navigate by Thread:: Prev: Re: Problem with NSLS2 Debian repository? Konrad, Martin via Tech-talk; Next: Re: Problem with NSLS2 Debian repository? Flaks, Leonid via Tech-talk; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024

ANJ, 02 May 2019

· Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System