某国立情報学研究所
の中間証明書が 2021-04-27 01:38:24 GMT で失効してる関係で、
Chrome や Chromium 版 Microsoft Edge では
NET::ERR_CERT_REVOKED
って言われてエラーになるページがあるんだけど、なぜか Firefox では失効してくれない。
具体的には
一応、Firefox の about:config では
☑ OCSP レスポンダーサーバーに問い合わせて証明書の現在の正統性を確認する
にちゃんとチェックが入ってるのだが、まさか CRL がまだ OCSP に反映されてないとかだろうか?
OCSP を手動で確認するにはどうするんだろう?
長らく Windows 10 で使っているので、何かしら変な設定をしている可能性もあるのではと思い、
Ubuntu 20.04.2 LTS Desktop の ISO で VirtualBox 上から試してもみたのだが、やはり素通りしてしまう。
一点気になる点と言えば、
このサーバー、ちょっと古いせいで TLS 1.0 止まりのため TLS 1.2 対応出来ておらず
Firefox では TLS 1.0/1.1 を有効にして表示してる点。
ひょっとして TLS 1.0/1.1 を有効にしてると CRL のチェック素通りするバグでもあるのでは?
って気もしたのだが、TLS 1.2 対応してるサーバーでも同様の症状を確認。駄目だこれ。
可能性としては、
ひょっとして要 PROXY 環境なのも不安要素だが、何が原因だ!?
Chrome や Chromium 版 Microsoft Edge では
NET::ERR_CERT_REVOKED
って言われてエラーになるページがあるんだけど、なぜか Firefox では失効してくれない。
具体的には
$ openssl x509 -in nii-odca3sha2ct.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 22:b9:b1:31:ec:0d:ff:09:fe Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 Validity Not Before: Mar 22 06:33:29 2018 GMT Not After : Mar 22 06:33:29 2028 GMT Subject: C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cb:c7:89:da:c5:47:b0:91:b2:eb:52:e6:2a:10: 09:00:5e:e6:6b:41:7e:6d:68:ed:de:47:bb:5d:75: b2:8f:90:ac:e3:33:66:ab:57:30:54:e9:a5:80:06: a9:35:ac:b7:81:d6:ea:73:48:2a:0a:05:71:b9:e0: 43:69:a8:b4:9e:38:3f:9e:e8:4d:7b:b8:91:41:c9: 3b:da:ad:8b:f9:7d:55:55:3e:20:8c:0f:81:bf:f1: 26:4e:91:8e:9e:4e:70:97:e0:e4:e3:e6:0d:ce:9f: de:a9:b3:97:df:34:de:62:8e:d4:e3:b7:95:d0:c1: 1a:aa:b8:df:47:1b:d5:ee:84:7c:00:f8:c7:0f:91: a6:be:df:ab:98:37:3f:05:b5:bf:a7:32:94:ce:a2: bc:e6:31:63:02:a1:8a:83:d4:16:28:33:a2:65:4d: 4a:70:99:33:36:5c:b2:f2:23:b2:6f:aa:d1:49:22: 09:d2:5f:f5:47:0a:f3:fb:95:b5:6f:f7:45:62:ce: e1:29:aa:03:17:be:20:c9:e3:30:ee:78:06:9c:75: bf:22:e6:de:3c:c3:0b:7b:38:9d:db:40:69:d4:3b: f8:62:2f:6a:7f:51:b1:a9:51:22:18:cc:7b:ce:75: 06:25:df:d5:44:40:e8:12:40:55:6e:9b:0d:53:92: f7:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 67:3A:3A:C1:6B:B7:1C:A6:41:46:39:30:84:C8:69:00:59:11:58:C1 X509v3 Authority Key Identifier: keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: URI:http://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl X509v3 Certificate Policies: Policy: 1.2.392.200091.100.901.4 CPS: https://repository.secomtrust.net/SC-Root2/ Authority Information Access: OCSP - URI:http://scrootca2.ocsp.secomtrust.net Signature Algorithm: sha256WithRSAEncryption 55:13:2c:ff:59:b8:06:91:32:c1:05:91:a4:dc:ec:8a:2e:fa: 21:dc:08:d5:be:21:e1:ae:51:6f:f9:f7:51:c9:1d:65:88:7e: 8d:6c:c0:0c:81:94:5b:2d:03:e2:0d:8f:63:75:33:f5:25:d1: e1:ff:93:df:58:65:0c:47:d6:11:de:d0:64:60:91:7b:7f:7f: 45:1c:b1:79:16:8b:b4:1a:65:75:63:48:0c:37:22:df:dc:a4: 51:13:5c:39:24:43:aa:8b:bc:f9:36:8e:bc:5c:ea:aa:1a:91: ed:26:7a:33:71:38:2a:69:13:49:f3:65:2e:dc:74:6a:05:17: c5:0a:2b:c8:68:76:4e:d2:df:df:20:da:42:91:c2:1c:4d:ea: 2c:48:57:40:c5:52:8a:3f:b0:9a:86:81:d7:49:1a:5c:80:7f: 9b:52:87:5a:fc:58:35:b7:a1:c3:0d:9c:dd:00:15:c8:5e:d7: 5a:f9:3a:ae:6e:30:d9:6c:c2:e9:36:86:68:80:fc:62:27:a2: 0b:0f:a5:20:0c:76:70:0f:d1:6f:50:1d:94:91:9c:95:bf:4d: 23:02:7b:5c:1a:be:5c:68:81:ad:68:bb:8b:00:29:d0:2a:0d: a8:b4:10:5a:8b:5e:ea:b2:e9:cb:d0:66:c3:2e:b1:d3:4d:e4: 70:8e:a3:67 -----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgIJIrmxMewN/wn+MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwMzIy MDYzMzI5WhcNMjgwMzIyMDYzMzI5WjBbMQswCQYDVQQGEwJKUDEqMCgGA1UEChMh TmF0aW9uYWwgSW5zdGl0dXRlIG9mIEluZm9ybWF0aWNzMSAwHgYDVQQDExdOSUkg T3BlbiBEb21haW4gQ0EgLSBHNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMvHidrFR7CRsutS5ioQCQBe5mtBfm1o7d5Hu111so+QrOMzZqtXMFTppYAG qTWst4HW6nNIKgoFcbngQ2motJ44P57oTXu4kUHJO9qti/l9VVU+IIwPgb/xJk6R jp5OcJfg5OPmDc6f3qmzl9803mKO1OO3ldDBGqq430cb1e6EfAD4xw+Rpr7fq5g3 PwW1v6cylM6ivOYxYwKhioPUFigzomVNSnCZMzZcsvIjsm+q0UkiCdJf9UcK8/uV tW/3RWLO4SmqAxe+IMnjMO54Bpx1vyLm3jzDC3s4ndtAadQ7+GIvan9RsalRIhjM e851BiXf1URA6BJAVW6bDVOS9ycCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBRnOjrB a7ccpkFGOTCEyGkAWRFYwTAfBgNVHSMEGDAWgBQKhal3ZQWYfECB+A+XLDjxCuw8 zzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjBJBgNVHR8EQjBA MD6gPKA6hjhodHRwOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290 Mi9TQ1Jvb3QyQ1JMLmNybDBSBgNVHSAESzBJMEcGCiqDCIybG2SHBQQwOTA3Bggr BgEFBQcCARYraHR0cHM6Ly9yZXBvc2l0b3J5LnNlY29tdHJ1c3QubmV0L1NDLVJv b3QyLzBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9zY3Jvb3Rj YTIub2NzcC5zZWNvbXRydXN0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAVRMs/1m4 BpEywQWRpNzsii76IdwI1b4h4a5Rb/n3UckdZYh+jWzADIGUWy0D4g2PY3Uz9SXR 4f+T31hlDEfWEd7QZGCRe39/RRyxeRaLtBpldWNIDDci39ykURNcOSRDqou8+TaO vFzqqhqR7SZ6M3E4KmkTSfNlLtx0agUXxQoryGh2TtLf3yDaQpHCHE3qLEhXQMVS ij+wmoaB10kaXIB/m1KHWvxYNbehww2c3QAVyF7XWvk6rm4w2WzC6TaGaID8Yiei Cw+lIAx2cA/Rb1AdlJGclb9NIwJ7XBq+XGiBrWi7iwAp0CoNqLQQWote6rLpy9Bm wy6x003kcI6jZw== -----END CERTIFICATE-----の通り、こいつの失効証明書が にあって、
$ openssl crl -in SCRoot2CRL.crl -inform DER -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 Last Update: Apr 27 02:08:06 2021 GMT Next Update: Apr 27 02:08:06 2022 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF X509v3 CRL Number: 131 Revoked Certificates: Serial Number: 22B9B0D6 Revocation Date: Jun 9 07:46:44 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B0ED768D70EDCE Revocation Date: Nov 30 06:13:04 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B114F6C7793EA0 Revocation Date: Jun 21 06:13:32 2017 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Serial Number: 22B9B1189D28B6BA31 Revocation Date: Sep 7 07:58:39 2017 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Serial Number: 22B9B131EC0DFF09FE Revocation Date: Apr 27 01:38:24 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B13AF2D9E4F386 Revocation Date: Mar 9 02:54:13 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B13CED40468405 Revocation Date: Mar 9 03:07:57 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B1483713B993B6 Revocation Date: Aug 22 06:11:09 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B1493D858728F9 Revocation Date: Aug 22 06:21:23 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B14A3A611FD0D8 Revocation Date: Aug 22 06:37:11 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B14B1B1A00F693 Revocation Date: Aug 22 06:46:36 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B14CD1831A062D Revocation Date: Aug 22 06:56:06 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B14E486E69EDA0 Revocation Date: Jul 8 09:27:10 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B15A9B8FF55573 Revocation Date: Jul 23 08:13:14 2019 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Serial Number: 22B9B167395270F3D6 Revocation Date: Oct 30 04:53:46 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B1688E7494D662 Revocation Date: Mar 23 07:46:10 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B169E3CD1BCC22 Revocation Date: Mar 23 07:55:20 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B16AE75C8B5865 Revocation Date: Apr 27 01:48:32 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B16B83977DA751 Revocation Date: Jun 9 08:02:37 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B16EB150AD7E36 Revocation Date: Apr 27 01:58:03 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B16F96784D3824 Revocation Date: Oct 30 05:04:50 2020 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B172FA931A5B74 Revocation Date: Mar 9 02:18:49 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B174E5DA7D6EEB Revocation Date: Mar 9 02:39:02 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B15C4A1261748A504D172147A9CC Revocation Date: Mar 15 02:00:51 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B15DEFDD158804EB5F278C825020 Revocation Date: Mar 15 02:24:34 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B175E35A273EBB6F5EEE02AD9DD8 Revocation Date: Mar 15 02:14:42 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Serial Number: 22B9B176817E3637C555F5C42D4C36BF Revocation Date: Mar 15 02:34:57 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation Signature Algorithm: sha256WithRSAEncryption c1:d4:3e:c6:0c:fd:99:fb:c1:c9:f7:67:95:bb:24:aa:d9:61: ce:fa:f2:53:d4:4f:1b:e9:99:f8:00:5b:6c:3f:69:9a:21:dd: a9:21:90:c7:50:bd:2a:4b:0f:0e:b2:82:05:c4:1b:66:1b:b1: 11:4c:8c:9a:1a:fb:e0:b4:90:df:63:0f:0b:1e:51:0d:d1:fb: f1:5e:03:e3:f3:1c:97:b5:91:ce:4e:66:29:e4:ee:01:16:99: 57:e6:9a:bc:44:a0:a5:f3:80:53:03:bc:62:54:b3:64:1b:6c: e7:ae:7a:ab:79:12:e3:8b:43:72:b2:1e:d0:ec:83:eb:aa:0c: a1:20:83:9f:24:ef:99:f3:a9:a2:1c:03:7f:71:c9:00:27:b7: 6a:0d:fd:15:4c:e9:76:19:86:63:de:8a:fe:51:e3:76:9e:5f: 87:53:f6:ab:c5:82:26:75:8c:fe:db:3b:1a:b0:ac:04:17:63: 12:3e:ce:d5:e2:73:cc:67:47:2c:9c:d8:5f:b9:2d:43:05:12: 8e:00:77:fe:e3:b2:7f:90:4a:b0:db:39:55:00:63:d0:b2:b8: 4d:d5:e3:18:0c:7d:a0:8e:81:19:75:76:22:bf:0b:17:08:5c: dc:55:bc:70:c9:c1:b4:d9:a5:82:3c:9c:84:05:27:21:3f:96: 98:5b:00:18 -----BEGIN X509 CRL----- MIIGYjCCBUoCAQEwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCSlAxJTAjBgNV BAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3Vy aXR5IENvbW11bmljYXRpb24gUm9vdENBMhcNMjEwNDI3MDIwODA2WhcNMjIwNDI3 MDIwODA2WjCCBIUwIwIEIrmw1hcNMjAwNjA5MDc0NjQ0WjAMMAoGA1UdFQQDCgEF MCgCCSK5sO12jXDtzhcNMjAxMTMwMDYxMzA0WjAMMAoGA1UdFQQDCgEFMCgCCSK5 sRT2x3k+oBcNMTcwNjIxMDYxMzMyWjAMMAoGA1UdFQQDCgEEMCgCCSK5sRidKLa6 MRcNMTcwOTA3MDc1ODM5WjAMMAoGA1UdFQQDCgEEMCgCCSK5sTHsDf8J/hcNMjEw NDI3MDEzODI0WjAMMAoGA1UdFQQDCgEFMCgCCSK5sTry2eTzhhcNMjEwMzA5MDI1 NDEzWjAMMAoGA1UdFQQDCgEFMCgCCSK5sTztQEaEBRcNMjEwMzA5MDMwNzU3WjAM MAoGA1UdFQQDCgEFMCgCCSK5sUg3E7mTthcNMTgwODIyMDYxMTA5WjAMMAoGA1Ud FQQDCgEFMCgCCSK5sUk9hYco+RcNMTgwODIyMDYyMTIzWjAMMAoGA1UdFQQDCgEF MCgCCSK5sUo6YR/Q2BcNMTgwODIyMDYzNzExWjAMMAoGA1UdFQQDCgEFMCgCCSK5 sUsbGgD2kxcNMTgwODIyMDY0NjM2WjAMMAoGA1UdFQQDCgEFMCgCCSK5sUzRgxoG LRcNMTgwODIyMDY1NjA2WjAMMAoGA1UdFQQDCgEFMCgCCSK5sU5IbmntoBcNMjAw NzA4MDkyNzEwWjAMMAoGA1UdFQQDCgEFMCgCCSK5sVqbj/VVcxcNMTkwNzIzMDgx MzE0WjAMMAoGA1UdFQQDCgEEMCgCCSK5sWc5UnDz1hcNMjAxMDMwMDQ1MzQ2WjAM MAoGA1UdFQQDCgEFMCgCCSK5sWiOdJTWYhcNMjAwMzIzMDc0NjEwWjAMMAoGA1Ud FQQDCgEFMCgCCSK5sWnjzRvMIhcNMjAwMzIzMDc1NTIwWjAMMAoGA1UdFQQDCgEF MCgCCSK5sWrnXItYZRcNMjEwNDI3MDE0ODMyWjAMMAoGA1UdFQQDCgEFMCgCCSK5 sWuDl32nURcNMjAwNjA5MDgwMjM3WjAMMAoGA1UdFQQDCgEFMCgCCSK5sW6xUK1+ NhcNMjEwNDI3MDE1ODAzWjAMMAoGA1UdFQQDCgEFMCgCCSK5sW+WeE04JBcNMjAx MDMwMDUwNDUwWjAMMAoGA1UdFQQDCgEFMCgCCSK5sXL6kxpbdBcNMjEwMzA5MDIx ODQ5WjAMMAoGA1UdFQQDCgEFMCgCCSK5sXTl2n1u6xcNMjEwMzA5MDIzOTAyWjAM MAoGA1UdFQQDCgEFMC8CECK5sVxKEmF0ilBNFyFHqcwXDTIxMDMxNTAyMDA1MVow DDAKBgNVHRUEAwoBBTAvAhAiubFd790ViATrXyeMglAgFw0yMTAzMTUwMjI0MzRa MAwwCgYDVR0VBAMKAQUwLwIQIrmxdeNaJz67b17uAq2d2BcNMjEwMzE1MDIxNDQy WjAMMAoGA1UdFQQDCgEFMC8CECK5sXaBfjY3xVX1xC1MNr8XDTIxMDMxNTAyMzQ1 N1owDDAKBgNVHRUEAwoBBaAwMC4wHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw4 8QrsPM8wCwYDVR0UBAQCAgCDMA0GCSqGSIb3DQEBCwUAA4IBAQDB1D7GDP2Z+8HJ 92eVuySq2WHO+vJT1E8b6Zn4AFtsP2maId2pIZDHUL0qSw8OsoIFxBtmG7ERTIya GvvgtJDfYw8LHlEN0fvxXgPj8xyXtZHOTmYp5O4BFplX5pq8RKCl84BTA7xiVLNk G2znrnqreRLji0Nysh7Q7IPrqgyhIIOfJO+Z86miHAN/cckAJ7dqDf0VTOl2GYZj 3or+UeN2nl+HU/arxYImdYz+2zsasKwEF2MSPs7V4nPMZ0csnNhfuS1DBRKOAHf+ 47J/kEqw2zlVAGPQsrhN1eMYDH2gjoEZdXYivwsXCFzcVbxwycG02aWCPJyEBSch P5aYWwAY -----END X509 CRL-----の通り
Serial Number: 22:b9:b1:31:ec:0d:ff:09:feに対して
Serial Number: 22B9B131EC0DFF09FE Revocation Date: Apr 27 01:38:24 2021 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operationのように失効が確認出来る状況。
一応、Firefox の about:config では
☑ OCSP レスポンダーサーバーに問い合わせて証明書の現在の正統性を確認する
にちゃんとチェックが入ってるのだが、まさか CRL がまだ OCSP に反映されてないとかだろうか?
OCSP を手動で確認するにはどうするんだろう?
長らく Windows 10 で使っているので、何かしら変な設定をしている可能性もあるのではと思い、
Ubuntu 20.04.2 LTS Desktop の ISO で VirtualBox 上から試してもみたのだが、やはり素通りしてしまう。
一点気になる点と言えば、
このサーバー、ちょっと古いせいで TLS 1.0 止まりのため TLS 1.2 対応出来ておらず
Firefox では TLS 1.0/1.1 を有効にして表示してる点。
ひょっとして TLS 1.0/1.1 を有効にしてると CRL のチェック素通りするバグでもあるのでは?
って気もしたのだが、TLS 1.2 対応してるサーバーでも同様の症状を確認。駄目だこれ。
可能性としては、
- 中間証明書の CRL チェックが漏れてる
- OCSP に CRL が届いてない
- そもそも OCSP への問い合わせが出来てない(失敗している)
ひょっとして要 PROXY 環境なのも不安要素だが、何が原因だ!?
SECOM の Security Communication RootCA2 証明書は以下から。
Firefox が中間証明書の失効確認忘れてるんじゃ???
あ、でも、office.com 相手だと
当該のサーバーだと
あと、-crl_download -crl_check で CRL が上手く拾えないのも気になる。
OpenSSL だけど PROXY 不要な環境でこうなるので、PROXY は関係なさそうな雰囲気だろうか?
$ wget https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer
$ openssl x509 -in SCRoot2ca.cer -inform DER > SCRoot2ca.cer.pem
$ openssl ocsp -issuer SCRoot2ca.cer.pem -url http://scrootca2.ocsp.secomtrust.net -serial 0x22b9b131ec0dff09fe -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0 Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF Serial Number: 22B9B131EC0DFF09FE Request Extensions: OCSP Nonce: 0410978EFE3B5E4C1D208960234C9BF57624 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: CC6AF09C573F367A3A9CF97DBC4215F4A59C4546 Produced At: May 7 08:17:24 2021 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0 Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF Serial Number: 22B9B131EC0DFF09FE Cert Status: revoked Revocation Time: Apr 27 01:38:24 2021 GMT Revocation Reason: cessationOfOperation (0x5) This Update: Apr 27 02:08:06 2021 GMT Next Update: Jul 26 05:49:38 2021 GMT Response Extensions: OCSP Nonce: 0410978EFE3B5E4C1D208960234C9BF57624 Signature Algorithm: sha1WithRSAEncryption 90:55:5e:f0:bf:10:ad:d8:ba:62:aa:92:67:c9:78:0d:3e:d5: 0d:09:1e:3c:3b:9a:1c:ed:ed:56:01:4c:e8:07:a0:6b:89:c4: 66:0e:4c:5d:41:ea:85:9c:1c:62:7c:fa:f3:0c:16:2e:b8:d3: 55:70:45:2b:80:9c:b5:4b:8a:0d:b8:30:73:91:d8:f1:42:56: ac:87:53:35:9a:eb:c5:aa:6c:22:36:21:44:47:38:c3:eb:58: 30:35:a2:cd:bc:bd:e4:41:d1:44:3e:2e:81:01:51:a3:c5:38: 5e:42:a3:a3:97:04:eb:4e:4c:b3:1a:42:0a:a6:93:38:7d:05: ee:3c:d1:ae:f2:09:92:60:37:86:e2:48:39:3f:7e:a7:0c:6b: b5:7b:4b:20:4f:e7:96:aa:82:63:7b:94:c5:05:bb:03:b4:e9: b9:9c:92:2f:a7:47:c0:12:fa:16:ea:37:6c:3e:a7:cb:4f:df: 5b:4e:cf:69:9b:53:3b:32:ea:06:04:88:14:9a:52:a1:1f:95: 0c:d3:79:24:2f:12:e2:ff:bf:e3:b4:e3:26:03:1a:14:70:5e: d1:b1:ff:10:8a:1c:d2:bd:58:e3:89:86:ea:12:98:b6:bd:2d: 33:1e:30:34:ea:2f:92:9e:43:8f:2a:42:5d:e1:ed:6f:3d:6d: 13:4d:9f:97 Certificate: Data: Version: 3 (0x2) Serial Number: 22:b9:b1:87:33:6b:46:e0:97 Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2 Validity Not Before: Mar 24 05:49:38 2021 GMT Not After : Jul 26 05:49:38 2021 GMT Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA2 OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a1:a7:7e:d7:af:a6:e5:7d:af:5c:be:9a:26:77: f3:d4:98:18:0f:ef:72:79:f0:54:be:52:98:00:ab: 53:c8:b3:5f:f0:ff:f5:46:4e:4f:c8:fe:ab:c5:12: 47:1c:c7:d3:70:45:3f:fb:56:29:41:d1:cb:db:21: 78:5d:24:38:d2:32:65:30:65:2b:99:06:fa:b6:16: 07:a9:70:6f:a3:3a:8b:9a:c9:cc:13:9c:9f:01:14: de:e9:1d:ff:2f:ef:c0:2a:2d:f7:df:51:ec:90:9e: 95:4b:53:d6:21:e0:54:d5:c9:df:b7:57:bb:a5:90: 50:88:02:dc:6a:55:62:f7:19:8d:2e:54:c7:0a:c6: de:dc:7d:f7:d5:7b:f1:4f:85:6c:30:94:d5:e9:62: fb:e2:a3:18:92:eb:c8:89:0e:e6:b3:41:40:95:56: ba:48:14:8a:42:7f:aa:a9:4b:fc:5d:d7:30:bc:2c: f8:f7:e4:07:9c:83:4c:2c:c1:17:33:b7:24:c5:ef: 3f:a1:b3:ec:bd:fa:ba:8e:be:3b:d9:68:04:1e:87: 42:16:55:19:bb:eb:06:69:2d:98:49:25:86:25:22: 63:b4:81:86:30:58:fd:8d:89:bd:0c:71:d3:23:00: 56:6d:07:be:ac:69:36:28:11:ae:b3:25:e3:ce:12: da:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: OCSP Signing X509v3 Certificate Policies: Policy: 1.2.392.200091.100.901.4 CPS: https://repository.secomtrust.net/SC-Root2/ OCSP No Check: X509v3 Authority Key Identifier: keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF X509v3 Subject Key Identifier: CC:6A:F0:9C:57:3F:36:7A:3A:9C:F9:7D:BC:42:15:F4:A5:9C:45:46 Signature Algorithm: sha256WithRSAEncryption 55:4c:4e:c7:8b:64:38:4d:89:8a:63:1e:f8:57:b5:00:fa:ce: ed:73:df:90:f7:39:b2:ce:a4:d5:c9:e6:60:05:e6:85:ba:ce: 94:89:ae:d5:01:67:72:4b:de:27:37:c1:3d:7a:99:6f:aa:48: 17:7d:32:46:21:8c:a4:65:97:ae:a4:0b:50:11:d0:45:3e:a6: 8c:dd:43:a7:4d:81:12:56:15:5c:16:16:93:b0:6e:48:91:d3: eb:38:3a:89:1a:70:9b:c3:23:f0:fa:c4:b4:06:71:3f:22:4b: 0d:2b:ac:36:7a:1d:97:b1:b7:93:16:34:21:97:39:46:14:3f: 54:a6:98:b0:d0:c5:07:25:c2:29:13:8c:0a:25:c3:9e:bd:63: 5d:d5:60:cf:1e:8a:b4:62:64:73:5f:22:06:cb:cf:7f:8f:a1: a5:9c:1d:ce:f0:f4:9a:5e:b5:b9:30:91:a9:a4:6a:d1:8e:ef: b0:af:f0:57:8f:1d:8f:ac:3c:ea:dc:de:f9:e4:92:bd:0c:e2: 0b:9c:60:98:96:0a:d4:ce:98:bf:7d:90:9c:44:1e:ac:eb:db: 9f:cf:f7:fb:e0:1c:55:ba:b9:e0:dd:95:a5:47:d1:94:59:8e: ed:ee:00:59:29:da:f3:bb:6c:23:fb:b2:a7:e2:3c:6c:44:08: 6b:2b:ab:90 -----BEGIN CERTIFICATE----- MIIEGjCCAwKgAwIBAgIJIrmxhzNrRuCXMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMjEwMzI0 MDU0OTM4WhcNMjEwNzI2MDU0OTM4WjBsMQswCQYDVQQGEwJKUDElMCMGA1UEChMc U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjE2MDQGA1UEAxMtU2VjdXJpdHkg Q29tbXVuaWNhdGlvbiBSb290Q0EyIE9DU1AgUmVzcG9uZGVyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoad+16+m5X2vXL6aJnfz1JgYD+9yefBUvlKY AKtTyLNf8P/1Rk5PyP6rxRJHHMfTcEU/+1YpQdHL2yF4XSQ40jJlMGUrmQb6thYH qXBvozqLmsnME5yfARTe6R3/L+/AKi3331HskJ6VS1PWIeBU1cnft1e7pZBQiALc alVi9xmNLlTHCsbe3H331XvxT4VsMJTV6WL74qMYkuvIiQ7ms0FAlVa6SBSKQn+q qUv8XdcwvCz49+QHnINMLMEXM7ckxe8/obPsvfq6jr472WgEHodCFlUZu+sGaS2Y SSWGJSJjtIGGMFj9jYm9DHHTIwBWbQe+rGk2KBGusyXjzhLawwIDAQABo4HNMIHK MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDCTBSBgNVHSAESzBJ MEcGCiqDCIybG2SHBQQwOTA3BggrBgEFBQcCARYraHR0cHM6Ly9yZXBvc2l0b3J5 LnNlY29tdHJ1c3QubmV0L1NDLVJvb3QyLzAPBgkrBgEFBQcwAQUEAgUAMB8GA1Ud IwQYMBaAFAqFqXdlBZh8QIH4D5csOPEK7DzPMB0GA1UdDgQWBBTMavCcVz82ejqc +X28QhX0pZxFRjANBgkqhkiG9w0BAQsFAAOCAQEAVUxOx4tkOE2JimMe+Fe1APrO 7XPfkPc5ss6k1cnmYAXmhbrOlImu1QFnckveJzfBPXqZb6pIF30yRiGMpGWXrqQL UBHQRT6mjN1Dp02BElYVXBYWk7BuSJHT6zg6iRpwm8Mj8PrEtAZxPyJLDSusNnod l7G3kxY0IZc5RhQ/VKaYsNDFByXCKROMCiXDnr1jXdVgzx6KtGJkc18iBsvPf4+h pZwdzvD0ml61uTCRqaRq0Y7vsK/wV48dj6w86tze+eSSvQziC5xgmJYK1M6Yv32Q nEQerOvbn8/3++AcVbq54N2VpUfRlFmO7e4AWSna87tsI/uyp+I8bEQIayurkA== -----END CERTIFICATE----- Response verify OK 0x22b9b131ec0dff09fe: revoked This Update: Apr 27 02:08:06 2021 GMT Next Update: Jul 26 05:49:38 2021 GMT Reason: cessationOfOperation Revocation Time: Apr 27 01:38:24 2021 GMT中間証明書、ちゃんと OCSP で revoked されとるよ
Firefox が中間証明書の失効確認忘れてるんじゃ???
あ、でも、office.com 相手だと
$ openssl s_client -connect www.office.com:https -status CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 verify return:1 depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com verify return:1 OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7 Produced At: May 2 01:36:37 2021 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48B6A9E21293B3C020B12ACE4E73649A3C67DC9B Issuer Key Hash: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7 Serial Number: 0D486A2CD4B144AB2CD103C09BD97DD4 Cert Status: good This Update: May 2 01:21:01 2021 GMT Next Update: May 9 00:36:01 2021 GMT Signature Algorithm: sha256WithRSAEncryption a2:40:1e:24:82:d3:c0:01:f9:12:a9:0e:66:79:ab:a6:6e:8b: f1:3e:0f:fa:e5:61:f2:8d:23:0c:c4:ab:e7:58:d5:30:ea:8f: a3:23:62:99:27:64:21:d0:67:6b:3a:44:e7:fe:71:7c:54:ef: c1:00:c1:ae:31:34:36:ee:5a:77:15:21:aa:2f:26:ee:a9:db: 65:f1:ec:a0:de:f5:c8:8c:1f:ca:69:82:d7:23:6d:0a:19:7a: ec:76:f6:7c:cf:df:9f:5d:04:a9:8e:d5:8b:ac:f5:53:61:7f: c9:f3:5c:a7:71:08:4c:3c:c6:7e:17:04:2a:b8:74:ee:51:90: 7b:25:f8:bb:0d:d8:cb:5a:99:7e:e9:ea:dc:16:50:d7:ae:5a: e8:68:3b:bf:bd:96:ed:bd:51:36:2f:a0:e2:32:53:2b:74:4b: 9d:a4:bb:1d:09:37:d7:cc:9f:55:a1:71:9b:dc:aa:88:23:a3: 92:e2:66:af:99:82:eb:6f:4a:b7:c6:ea:d4:72:29:b0:09:31: ec:94:29:01:80:57:2f:01:4c:9f:2f:46:7c:fa:45:05:df:e8: e6:a4:66:df:98:b4:9c:e6:81:51:99:3c:1b:0f:66:bc:61:29: c8:64:f6:ee:19:1d:42:af:9a:18:c7:9d:46:5b:9c:ad:da:7e: 0b:f5:ac:d3 ====================================== --- Certificate chain 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIIEzCCBvugAwIBAgIQDUhqLNSxRKss0QPAm9l91DANBgkqhkiG9w0BAQsFADBL MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTIxMDMyNDAwMDAwMFoXDTIy MDMyMzIzNTk1OVowcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv bjEaMBgGA1UEAxMRcG9ydGFsLm9mZmljZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC2zIwF2pj0PNL2yfMSXTkA66mS5U+ru29uL92gzbyLezJK LrHD1vfBuwOWZwnZ/f4p70+Zsx8HpoLPS5UNgQXPlGFe0Xbz7ZeSjSCFPYi5mSsB JaEs9YJHROxBKuc/WoMqrD9DeG1+jBq5PV+QKDkA83dgR3Vqbt4IWFsG+tYcKhYf xFqD9ybkFh6wGFgeM6yQ34lodFSCkvgxx7b7kPmqDb16AjMtorBRPzTJxokfgEdP YKbBsZYjzyEe+4dlnJo81RISrYzV8zcYLmHzWrYRnWgVSejP4wcMh2Hh+WgtdDWC X9YtJivtZ153XfQMiwCqkcjOQ+WCLUBQYE0EtjC1AgMBAAGjggTMMIIEyDAfBgNV HSMEGDAWgBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUzIliUyzdXGOJ h96w0OiGfRCLeM0wggHxBgNVHREEggHoMIIB5IIRcG9ydGFsLm9mZmljZS5jb22C GnBvcnRhbC5taWNyb3NvZnRvbmxpbmUuY29tgh1wb3J0YWxwcnYubWljcm9zb2Z0 b25saW5lLmNvbYIXbmN1cG9ydGFscHJ2Lm9mZmljZS5jb22CCm9mZmljZS5jb22C FHBvcnRhbC5taWNyb3NvZnQuY29tgg9ob21lLm9mZmljZS5jb22CFXBvcnRhbC1z ZGYub2ZmaWNlLmNvbYIPcHJvZC5tc29jZG4uY29tgg53d3cub2ZmaWNlLmNvbYIT Ki5wb3J0YWwub2ZmaWNlLmNvbYIQKi53d3cub2ZmaWNlLmNvbYITYWRtaW4ubWlj cm9zb2Z0LmNvbYIWYWRtaW4ubWljcm9zb2Z0MzY1LmNvbYIUd3d3Lm1pY3Jvc29m dDM2NS5jb22CEm50cC53d3cub2ZmaWNlLmNvbYIQZmx1aWQub2ZmaWNlLmNvbYIQ bWljcm9zb2Z0MzY1LmNvbYIPd29yZC5vZmZpY2UuY29tghBleGNlbC5vZmZpY2Uu Y29tghVwb3dlcnBvaW50Lm9mZmljZS5jb22CEHZpc2lvLm9mZmljZS5jb22CD2Fw cHMub2ZmaWNlLmNvbYIRc3RyZWFtLm9mZmljZS5jb20wDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYDVR0fBIGFMIGCMD+g PaA7hjlodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZp Y2VzQ0EtMS1nMS5jcmwwP6A9oDuGOWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydENsb3VkU2VydmljZXNDQS0xLWcxLmNybDA+BgNVHSAENzA1MDMGBmeB DAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw fAYIKwYBBQUHAQEEcDBuMCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcHguZGlnaWNl cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v RGlnaUNlcnRDbG91ZFNlcnZpY2VzQ0EtMS5jcnQwDAYDVR0TAQH/BAIwADCCAQQG CisGAQQB1nkCBAIEgfUEgfIA8AB1AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr 8vxw/m1HAAABeGWEv4oAAAQDAEYwRAIgKefbuWTfsJtUVS9YBj2yb/9iOWZrGrjY VBAIIsI7TuECIAK6f961j7dEbveljI/A6QmcPgoFlRi11Ws+qmwoncGTAHcAIkVF B1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaDXG7iDwIAAAF4ZYS/mQAABAMASDBGAiEA 2pHCVkkvWdaolS05t2P98uXcr7arYr61fgQvOkShMB4CIQD5Y/fOgxT5z1WCtxjR i1WUwD02Sif8imenA0KgOaFrwDANBgkqhkiG9w0BAQsFAAOCAQEACddAInGH7mlB vhYJ/92NHEpws4zkv0C6DV/9WSiqVee1FFzwIAUt5BOQPjkr88G761fu1I784ib0 Evs79QDeZAsJWVdii8cNxAm0C+1lzaEa90GszyGf690YHegi4gUVTk8fQc0cvzfy XtRgGpdM5aoEjcXkEFd9uZx6tf3Q4YfuOlsAiFYDLeSJRFFB2w9cDUUL7yDbGjvF nHZZwg0ACko5dz62ew/+gjJ3n9ZdYR7QX9E/teVRDAFu5YavaUE/fj89uqGWSc35 kvLAx7Lx61ud0RnnfaMWrhjrMVNum3P4hGVBmfO5gdsB10HQ5wvuHWnPS/uv8+ky xHFwmQ374Q== -----END CERTIFICATE----- subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4614 bytes and written 473 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2A2525C748FFD2562ECF8D905F2A5A72E1F8158DE8CF1043A2A872C69749D8E6 Session-ID-ctx: Master-Key: 322BAE003621CFCF503C3F789F7C82F9A66E90663E7084382F954B179D7BCA8785707D97FAFA384FEE40A60555796B4C PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 36000 (seconds) TLS session ticket: 0000 - 00 00 00 00 d6 01 45 17-22 ed 28 40 bd a5 3e 93 ......E.".(@..>. 0010 - 4c 90 8b b8 db 75 54 06-27 3b 18 78 9b 94 c2 37 L....uT.';.x...7 0020 - 8c 10 72 35 1a 0d c3 32-5d 44 d7 e9 7d 3f df 17 ..r5...2]D..}?.. 0030 - be 58 84 2b 5a 69 29 ee-89 6c ab e1 23 7b ae 96 .X.+Zi)..l..#{.. 0040 - 3d 14 7b ce 0b 52 fb b9-0b 50 84 1a 0f a3 2e d1 =.{..R...P...... 0050 - 11 e4 d2 3a e7 01 43 03-aa 23 f8 90 d3 95 b8 ab ...:..C..#...... 0060 - 3e b2 f7 4e c5 2c 72 fb-1b 63 2a 70 c5 87 9e e0 >..N.,r..c*p.... 0070 - ef af cb ef ab 8e 9f f4-18 a0 8f 33 25 6d d4 d7 ...........3%m.. 0080 - 2e 33 4a f9 59 7f ba 4c-10 5c 19 c2 ae 22 64 20 .3J.Y..L.\..."d 0090 - 6d 75 ed 76 9f 62 3c e1-3c 6f 89 05 e4 2c 8b c3 mu.v.b<.<o...,.. 00a0 - b9 d0 a9 c7 73 5f 45 75-82 b9 04 1e 1c 66 c6 81 ....s_Eu.....f.. 00b0 - d9 ab fa 6e ac 58 ee 3a-c5 ed da 2f d9 28 18 c3 ...n.X.:.../.(.. 00c0 - 27 c1 80 fb 6f bc 78 1b-29 0b 31 ca 7a c9 e2 8c '...o.x.).1.z... 00d0 - fc 0f f7 db 0b 67 87 65-fc d8 e2 da 60 d1 19 81 .....g.e....`... 00e0 - 50 08 d9 0a cc 3d 95 ae-12 43 77 6a 44 cb a4 29 P....=...CwjD..) 00f0 - ce 57 b4 c2 df 1d 3e f7-fe c0 6c 2b c0 33 20 a5 .W....>...l+.3 . 0100 - 89 3a de 3d .:.= Start Time: 1620376540 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes ---みたいに OCSP response 返って来るけど
当該のサーバーだと
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status CONNECTED(00000005) depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 verify return:1 depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5 verify return:1 depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify return:1 OCSP response: no response sent --- Certificate chain ...みたいに OCSP response が返ってかなったりするので、実は OCSP の実装に問題あって、http://scrootca2.ocsp.secomtrust.net から上手く拾えてないって可能性も?
あと、-crl_download -crl_check で CRL が上手く拾えないのも気になる。
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status -crl_download -crl_check CONNECTED(00000005) Error loading CRL from http://repo1.secomtrust.net/sppca/nii/odca3/fullcrlg5.crl depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify error:num=3:unable to get certificate CRL verify return:1 depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 verify return:1 depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5 verify return:1 depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify return:1 OCSP response: no response sent --- Certificate chain ...なぜだ?
OpenSSL だけど PROXY 不要な環境でこうなるので、PROXY は関係なさそうな雰囲気だろうか?
- Google: "Error loading CRL from" openssl s_client "-crl_download"
- GitHub / openssl / openssl / issue / verify -crl_download -crl_check fails without useful error message #8581
- Google: OCSP
- IETF / Documents / RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
- IPA / 情報セキュリティ / RFC 2560 X.509インターネット PKIオンライン証明書状態プロトコル(OCSP)
- Google: OCSP curl
- UNMITIGATED RISK / 2012-03-20: [[How to do OCSP requests using OpenSSL and CURL
- Qiita / thetsuthetsu / 2018-11-23: OCSP Stapingの調査
- Google: openssl ocsp
- zkat’s diary / 2018-10-29: OCSPによる証明書検証をopensslコマンド実行する
タグ
コメントをかく