[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Problems connecting to sites using VeriSign



In fact Verisign is using an expired certificate! The CA certificate used
expired on Jan 1 2000 (see below). To connect anyway add the CA
certificate as a trusted certificate (the default ChainVerifier does not
check expiration on explicitly trusted certificates) or disable
certificate chain verifying completely (not recommended).

Version: 1
Serial number: 9680453633
Signature algorithm: md2WithRSAEncryption
Issuer: OU=Secure Server Certification Authority, O=RSA Data Security,
Inc., C=US
Valid not before: Thu Nov 10 00:54:17 CET 1994
      not after: Sat Jan 01 00:54:17 CET 2000
Subject: OU=Secure Server Certification Authority, O=RSA Data Security,
Inc., C=US
public exponent: 10001
modulus:
92ce7ac1ae833e5aaa898357ac2501760cadae8e2c37ceeb3578645403e5844051c9bf8f0
8e28a8208d216863755e9b12102ad7668819a05a24bc94b256622566c88078ff781596d84
0765701371763e9b774ce35089569848b91da7291a132e4a11599c1e15d549542c733a698
2b197399c6d706748e5dd2dd6c81e7b

Certificate Fingerprint: 11:56:32:B0:C4:27:39:45:8D:5C:F4:41:89:5F:1C:72

 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.at


-----Ursprüngliche Nachricht-----
Von: Mårten Larsson <marten@verifyeasy.com>
An: <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Samstag, 29. Jänner 2000 13:04
Betreff: [iaik-ssl] Problems connecting to sites using VeriSign


> I can't to seem to connect to a site that uses a VeriSign certificate.
> When I launch
>
> java demo.basic.SSLClient www.verisign.com
>
> I get the output
>
> Connecting to www.verisign.com:443...
> TCP connection established
> ssl_debug(1): Starting handshake...
> ssl_debug(1): Sending v3 client_hello message, requesting version
3.1...
> ssl_debug(1): Received v3 server_hello handshake message.
> ssl_debug(1): Server selected SSL version 3.0.
> ssl_debug(1): Server created new session 42:67:11:23:7C:6B:0A:31...
> ssl_debug(1): CipherSuite selected by server:
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> ssl_debug(1): CompressionMethod selected by server: NULL
> ssl_debug(1): Received certificate handshake message with server
> certificate.
> ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 2
> elements.
> ssl_debug(1): ChainVerifier: Error verifying certificate chain:
> java.security.cert.CertificateExpired
> Exception
> ssl_debug(1): Sending alert: Alert Fatal: bad certificate
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): SSLException while handshaking: Server certificate
> rejected by ChainVerifier
> ssl_debug(1): Sending alert: Alert Fatal: handshake failure
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): Shutting down SSL layer...
> An exception occured:
> iaik.security.ssl.SSLException: Server certificate rejected by
> ChainVerifier
>         at java.lang.Throwable.fillInStackTrace(Native Method)
>         at java.lang.Throwable.fillInStackTrace(Compiled Code)
>         at java.lang.Throwable.<init>(Compiled Code)
>         at java.lang.Exception.<init>(Compiled Code)
>         at java.io.IOException.<init>(IOException.java:47)
>         at iaik.security.ssl.SSLException.<init>(Unknown Source)
>         at iaik.security.ssl.x.d(Compiled Code)
>         at iaik.security.ssl.x.f(Unknown Source)
>         at iaik.security.ssl.r.c(Unknown Source)
>         at iaik.security.ssl.SSLTransport.startHandshake(Unknown
Source)
>         at iaik.security.ssl.SSLSocket.startHandshake(Unknown Source)
>         at demo.basic.SSLClient.connect(Compiled Code)
>         at demo.basic.SSLClient.main(Unknown Source)
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): Closing transport...
>
> This would indicate that VeriSign has an expired certificate on its web
> site, but this does not seem to be the case.  However, when I reset the
> time on my computer to any time last year (up to Dec 31st) the problem
> goes away. I can connect to other sites, for examples those with Thawte
> certificates or those with self signed certificates. Any ideas on how
to
> solve this problem?
>
> Thanks,
>
> Mårten Larsson



smime.p7s