まず、以下のように openssl s_client に -showcerts オプションを付けても、RapidSSL SHA256 CA の中間証明書が落ちてこない。
$ openssl s_client -showcerts -connect ieserver.net:443
CONNECTED(00000003)
depth=0 CN = ieserver.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ieserver.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=ieserver.net
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF6DCCBNCgAwIBAgIQQCHrGozgnYAAOe+RTzRhxTANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MTIwNjAwMDAwMFoXDTE5MDEwNTIzNTk1
OVowFzEVMBMGA1UEAwwMaWVzZXJ2ZXIubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtvfFHemTGFnSbSVB0RXxP6d7SLQIpyeyTaCmo+wmoYL3db/s
a+0Wlmo9/laXyEkCeVdZ+CejcEssLAgJYQHdljipdKK9DrXnQ++wpQn8hMPdSJtG
SYkLt1/qTB89QOz/pQiTZ/qNqu1BBU+RD48F1l+vY4f86BNoLwUGLbk9/5r8unX9
57qOjI0pEOXP+85TnruQ+9y8MLJoCv3laE7F10FdWVf+9imqt2sOk1A87zM5zkRu
Y7UslAukf8Wp1DsCgCgvSZpzhn4+mIJS+RLHsFQQ/D8FfZczgTTGE3nXZ5PONYzs
MPoUCJWwb8o0YhgIRs2Ly9DwxLE0znfFjmJCEQIDAQABo4IDAzCCAv8wKQYDVR0R
BCIwIIIMaWVzZXJ2ZXIubmV0ghB3d3cuaWVzZXJ2ZXIubmV0MAkGA1UdEwQCMAAw
KwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYD
VR0gBGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFw
aWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlk
c3NsLmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcG
CCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAm
BggrBgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF+BgorBgEE
AdZ5AgQCBIIBbgSCAWoBaAB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM22
7L7MAAABWNHpELkAAAQDAEcwRQIgKGV4wlzSf0FxLCojySGyibY7pOUbMDVcXqeq
uKX/BycCIQCYeukOdj5C4k3/EwzI+3EkoMt9Mn2ZBb6S3Q3+aVohngB3AO5Lvbd1
zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABWNHpEQAAAAQDAEgwRgIhAJc9
JxB8iB7AMwpDIJLZI4c21tnOZwij0u2TG/W//4NYAiEAiChW1L1xVE3Bipw2XEH9
HZpmiZicdoFITVhh0bd7w7kAdQC8eOHfxfY8aEZJM02hD6FfCXlpIAnAgbTz9pF/
Ptm4pQAAAVjR6RGhAAAEAwBGMEQCICGGt20aJa4Uyp7MKWtXvtmT2zxwmLGv/grs
MmaLcpMTAiB+tGhvefc+jrQRkXAVZ14Gn72rHdVtvriMS+i4TKWqEjANBgkqhkiG
9w0BAQsFAAOCAQEAPJYaKIg+z7/kA3Fk7jLgdB/CSYi8nDb5n/EVv7KENrCYeH9o
wU9JEb5uOhhs0XZwDrM0Nvd53MxeKn1RHM1+5XtUQ6s6wSGLu/1MHqyIcPRPm6hl
g/YjMDc7XycKVUxKxWlcMAAOUxlxHJifsIxdKzq9lmE2PH9QeogkdBbBNt/Brxl0
VK2SFzW1WcuFVf3TiarJ9XTj7XJLa3n1ypjxWdTAcyZ86ZHja5oNkVTT8DZJ1jDA
pgFSeJNgRc8lixtHCPeDPuIaAhg5QWHAQ149bTmHojtF8Xqxct9DcADSc95z0XEE
3X8eTeIAsaInfwYQaRODE6TFZf0P3Tu29FkbOg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ieserver.net
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 1666 bytes and written 619 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 3D0343F209CC87A576F6EFC83C796F27F3E7C2B309F2AD89B496958F87D846EC
Session-ID-ctx:
Master-Key: 53B4E40CD3EBB6832B9507F60A0D47D56F4A9D6CC453A9F5433EA0C2DFE6A87DC95EB724237CEFD88FC52F9457685685
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1483889605
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
一方、正しく中間証明書が設定してある場合、例えば Google 先生を例に取ってみると、以下のように中間証明書が落ちてくる。
$ openssl s_client -showcerts -connect google.com:443
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIH0jCCBrqgAwIBAgIIVnW85e/YrWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0ODI3WhcNMTcwMzA5MTMzNTAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHGBLkAX
plf+b9uVIVzWJCZUmCpI61KORGZuCvejve2gAGR5F9wAYkK/VF+mcP6hvj3F8hDo
HD++UKwXkMN8gOaDMyTJqFgFvZWbxQ1NG/lUnR2eFjSdnxktbNBlbbbXmqYJu1yN
34J7i45FCkp8n6yc+4xn41dadf4188i3g/BlaTDeJmHsEQpYNrScrr2KeUyx8xGr
fOEDKPOGGmxVmWxjr80+A7MubRoNskxFBHTu0cUUv0KPopaqAIjxM2OtNgRMB6Sf
C+hWgWckIkU4yzPNxry743fpXu2DQFyzO+H3eqATYHMIGzWvajz+qVrdW4TifyP8
5VqnjhFCxGYtQQIDAQABo4IEnzCCBJswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDawYDVR0RBIIDYjCCA16CDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22C
G2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29n
bGUtYW5hbHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29t
ggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5iZYILeW91dHViZS5jb22C
FHlvdXR1YmVlZHVjYXRpb24uY29tMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcw
AoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYf
aHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4EFgQUz61JUCag
/oyz2ifZJB5pEL9wWHswDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2
aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQEwCAYGZ4EMAQIC
MDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5j
cmwwDQYJKoZIhvcNAQELBQADggEBAFk/zR3rf5g59BeU4VZ8fSc/cSQVtk+EjONY
b3rM8+Xqid9e/ishcELixKDQwNlsm0sppuEkG3fb9DQZgrdvRXG+66YsQWQkeVdr
LUvwRzNrXGh+R7B0fFsd6ASwuRv2u1KDC0KwGrY2x6GXEIfItvs9Rtwb2zoNpndc
9TyOGr5zgxWRIRrYibQsBe2xrBWBFlp/nBsJjmA/aHwy27X9NAXaCT7LuDAOZ9T1
+P2wk5nF8yzC+A4MBQw7CUIHgjQ0r+SJNqmcO6vMRvOdFGi7kICSnqPccNQ0X/86
E2vlaYBKyg4A+NuV4hSxAmxza3j1cB+jkz5muR3sgVOE9ZenfzY=
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD
VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov
L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt
10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN
tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA
EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs
eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt
F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS
wSHGFg==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4577 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5071A338B0FC172CDEA4B15C8FFE288507CF947941948E8363225A7DCF6546B6
Session-ID-ctx:
Master-Key: A86059EF5F4E8629F284539D408C3B993C329157B0C7D192CF0C3C72E67869FE58013532115FE602EC73A0E088093843
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - f7 66 b9 1d aa cd 34 cb-48 c8 78 8c b8 2f 93 a7 .f....4.H.x../..
0010 - c0 c5 09 a2 d5 6f c8 95-92 77 74 51 66 f9 01 ac .....o...wtQf...
0020 - 8c d0 d5 ef a5 50 89 f8-10 2a 69 cc ca 4f 3b c3 .....P...*i..O;.
0030 - c7 4e c5 70 d8 00 bb d1-90 be 33 75 3b 96 7c 91 .N.p......3u;.|.
0040 - b9 6e 53 e1 18 48 4e 94-01 cb c1 9c ab 5e c4 14 .nS..HN......^..
0050 - fe 48 24 95 02 be 7d 85-b5 5c 8d 45 a3 a8 d5 e2 .H$...}..\.E....
0060 - 1f 7a 95 ff 7f 6f 2f bb-13 db 1d fd a2 17 70 2c .z...o/.......p,
0070 - 0a 32 b4 70 98 64 93 a7-53 fd d6 f1 98 7d 2c a7 .2.p.d..S....},.
0080 - 5f c5 9d 1c 98 6f 92 4f-92 32 62 76 f9 52 3a 92 _....o.O.2bv.R:.
0090 - 08 c3 14 c5 86 63 ac 2d-bc 90 c3 1c 6d 77 8e c3 .....c.-....mw..
00a0 - eb cd b2 59 ...Y
Start Time: 1483889807
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
と言う事で、中間証明書の設定漏れであろうと結論付けた。
あと、地味に気になったのが TLSv1 で RC4-SHA な点。これって結構弱いのでは???
Google 先生は TLSv1.2 で ECDHE-RSA-AES128-GCM-SHA256。流石だ。