状況 
某国立情報学研究所
の中間証明書が 2021-04-27 01:38:24 GMT で失効してる関係で、
Chrome や Chromium 版 Microsoft Edge では
NET::ERR_CERT_REVOKED
って言われてエラーになるページがあるんだけど、なぜか Firefox では失効してくれない。
具体的には
一応、Firefox の about:config では
☑ OCSP レスポンダーサーバーに問い合わせて証明書の現在の正統性を確認する
にちゃんとチェックが入ってるのだが、まさか CRL がまだ OCSP に反映されてないとかだろうか?
OCSP を手動で確認するにはどうするんだろう?
長らく Windows 10 で使っているので、何かしら変な設定をしている可能性もあるのではと思い、
Ubuntu 20.04.2 LTS Desktop の ISO で VirtualBox 上から試してもみたのだが、やはり素通りしてしまう。
一点気になる点と言えば、
このサーバー、ちょっと古いせいで TLS 1.0 止まりのため TLS 1.2 対応出来ておらず
Firefox では TLS 1.0/1.1 を有効にして表示してる点。
ひょっとして TLS 1.0/1.1 を有効にしてると CRL のチェック素通りするバグでもあるのでは?
って気もしたのだが、TLS 1.2 対応してるサーバーでも同様の症状を確認。駄目だこれ。
可能性としては、
ひょっとして要 PROXY 環境なのも不安要素だが、何が原因だ!?
Chrome や Chromium 版 Microsoft Edge では
NET::ERR_CERT_REVOKED
って言われてエラーになるページがあるんだけど、なぜか Firefox では失効してくれない。
具体的には
$ openssl x509 -in nii-odca3sha2ct.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:b9:b1:31:ec:0d:ff:09:fe
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2
Validity
Not Before: Mar 22 06:33:29 2018 GMT
Not After : Mar 22 06:33:29 2028 GMT
Subject: C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:c7:89:da:c5:47:b0:91:b2:eb:52:e6:2a:10:
09:00:5e:e6:6b:41:7e:6d:68:ed:de:47:bb:5d:75:
b2:8f:90:ac:e3:33:66:ab:57:30:54:e9:a5:80:06:
a9:35:ac:b7:81:d6:ea:73:48:2a:0a:05:71:b9:e0:
43:69:a8:b4:9e:38:3f:9e:e8:4d:7b:b8:91:41:c9:
3b:da:ad:8b:f9:7d:55:55:3e:20:8c:0f:81:bf:f1:
26:4e:91:8e:9e:4e:70:97:e0:e4:e3:e6:0d:ce:9f:
de:a9:b3:97:df:34:de:62:8e:d4:e3:b7:95:d0:c1:
1a:aa:b8:df:47:1b:d5:ee:84:7c:00:f8:c7:0f:91:
a6:be:df:ab:98:37:3f:05:b5:bf:a7:32:94:ce:a2:
bc:e6:31:63:02:a1:8a:83:d4:16:28:33:a2:65:4d:
4a:70:99:33:36:5c:b2:f2:23:b2:6f:aa:d1:49:22:
09:d2:5f:f5:47:0a:f3:fb:95:b5:6f:f7:45:62:ce:
e1:29:aa:03:17:be:20:c9:e3:30:ee:78:06:9c:75:
bf:22:e6:de:3c:c3:0b:7b:38:9d:db:40:69:d4:3b:
f8:62:2f:6a:7f:51:b1:a9:51:22:18:cc:7b:ce:75:
06:25:df:d5:44:40:e8:12:40:55:6e:9b:0d:53:92:
f7:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
67:3A:3A:C1:6B:B7:1C:A6:41:46:39:30:84:C8:69:00:59:11:58:C1
X509v3 Authority Key Identifier:
keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl
X509v3 Certificate Policies:
Policy: 1.2.392.200091.100.901.4
CPS: https://repository.secomtrust.net/SC-Root2/
Authority Information Access:
OCSP - URI:http://scrootca2.ocsp.secomtrust.net
Signature Algorithm: sha256WithRSAEncryption
55:13:2c:ff:59:b8:06:91:32:c1:05:91:a4:dc:ec:8a:2e:fa:
21:dc:08:d5:be:21:e1:ae:51:6f:f9:f7:51:c9:1d:65:88:7e:
8d:6c:c0:0c:81:94:5b:2d:03:e2:0d:8f:63:75:33:f5:25:d1:
e1:ff:93:df:58:65:0c:47:d6:11:de:d0:64:60:91:7b:7f:7f:
45:1c:b1:79:16:8b:b4:1a:65:75:63:48:0c:37:22:df:dc:a4:
51:13:5c:39:24:43:aa:8b:bc:f9:36:8e:bc:5c:ea:aa:1a:91:
ed:26:7a:33:71:38:2a:69:13:49:f3:65:2e:dc:74:6a:05:17:
c5:0a:2b:c8:68:76:4e:d2:df:df:20:da:42:91:c2:1c:4d:ea:
2c:48:57:40:c5:52:8a:3f:b0:9a:86:81:d7:49:1a:5c:80:7f:
9b:52:87:5a:fc:58:35:b7:a1:c3:0d:9c:dd:00:15:c8:5e:d7:
5a:f9:3a:ae:6e:30:d9:6c:c2:e9:36:86:68:80:fc:62:27:a2:
0b:0f:a5:20:0c:76:70:0f:d1:6f:50:1d:94:91:9c:95:bf:4d:
23:02:7b:5c:1a:be:5c:68:81:ad:68:bb:8b:00:29:d0:2a:0d:
a8:b4:10:5a:8b:5e:ea:b2:e9:cb:d0:66:c3:2e:b1:d3:4d:e4:
70:8e:a3:67
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIJIrmxMewN/wn+MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwMzIy
MDYzMzI5WhcNMjgwMzIyMDYzMzI5WjBbMQswCQYDVQQGEwJKUDEqMCgGA1UEChMh
TmF0aW9uYWwgSW5zdGl0dXRlIG9mIEluZm9ybWF0aWNzMSAwHgYDVQQDExdOSUkg
T3BlbiBEb21haW4gQ0EgLSBHNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMvHidrFR7CRsutS5ioQCQBe5mtBfm1o7d5Hu111so+QrOMzZqtXMFTppYAG
qTWst4HW6nNIKgoFcbngQ2motJ44P57oTXu4kUHJO9qti/l9VVU+IIwPgb/xJk6R
jp5OcJfg5OPmDc6f3qmzl9803mKO1OO3ldDBGqq430cb1e6EfAD4xw+Rpr7fq5g3
PwW1v6cylM6ivOYxYwKhioPUFigzomVNSnCZMzZcsvIjsm+q0UkiCdJf9UcK8/uV
tW/3RWLO4SmqAxe+IMnjMO54Bpx1vyLm3jzDC3s4ndtAadQ7+GIvan9RsalRIhjM
e851BiXf1URA6BJAVW6bDVOS9ycCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBRnOjrB
a7ccpkFGOTCEyGkAWRFYwTAfBgNVHSMEGDAWgBQKhal3ZQWYfECB+A+XLDjxCuw8
zzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjBJBgNVHR8EQjBA
MD6gPKA6hjhodHRwOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290
Mi9TQ1Jvb3QyQ1JMLmNybDBSBgNVHSAESzBJMEcGCiqDCIybG2SHBQQwOTA3Bggr
BgEFBQcCARYraHR0cHM6Ly9yZXBvc2l0b3J5LnNlY29tdHJ1c3QubmV0L1NDLVJv
b3QyLzBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9zY3Jvb3Rj
YTIub2NzcC5zZWNvbXRydXN0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAVRMs/1m4
BpEywQWRpNzsii76IdwI1b4h4a5Rb/n3UckdZYh+jWzADIGUWy0D4g2PY3Uz9SXR
4f+T31hlDEfWEd7QZGCRe39/RRyxeRaLtBpldWNIDDci39ykURNcOSRDqou8+TaO
vFzqqhqR7SZ6M3E4KmkTSfNlLtx0agUXxQoryGh2TtLf3yDaQpHCHE3qLEhXQMVS
ij+wmoaB10kaXIB/m1KHWvxYNbehww2c3QAVyF7XWvk6rm4w2WzC6TaGaID8Yiei
Cw+lIAx2cA/Rb1AdlJGclb9NIwJ7XBq+XGiBrWi7iwAp0CoNqLQQWote6rLpy9Bm
wy6x003kcI6jZw==
-----END CERTIFICATE-----
の通り、こいつの失効証明書が
にあって、
$ openssl crl -in SCRoot2CRL.crl -inform DER -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2
Last Update: Apr 27 02:08:06 2021 GMT
Next Update: Apr 27 02:08:06 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF
X509v3 CRL Number:
131
Revoked Certificates:
Serial Number: 22B9B0D6
Revocation Date: Jun 9 07:46:44 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B0ED768D70EDCE
Revocation Date: Nov 30 06:13:04 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B114F6C7793EA0
Revocation Date: Jun 21 06:13:32 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Serial Number: 22B9B1189D28B6BA31
Revocation Date: Sep 7 07:58:39 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Serial Number: 22B9B131EC0DFF09FE
Revocation Date: Apr 27 01:38:24 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B13AF2D9E4F386
Revocation Date: Mar 9 02:54:13 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B13CED40468405
Revocation Date: Mar 9 03:07:57 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B1483713B993B6
Revocation Date: Aug 22 06:11:09 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B1493D858728F9
Revocation Date: Aug 22 06:21:23 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B14A3A611FD0D8
Revocation Date: Aug 22 06:37:11 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B14B1B1A00F693
Revocation Date: Aug 22 06:46:36 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B14CD1831A062D
Revocation Date: Aug 22 06:56:06 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B14E486E69EDA0
Revocation Date: Jul 8 09:27:10 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B15A9B8FF55573
Revocation Date: Jul 23 08:13:14 2019 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Serial Number: 22B9B167395270F3D6
Revocation Date: Oct 30 04:53:46 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B1688E7494D662
Revocation Date: Mar 23 07:46:10 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B169E3CD1BCC22
Revocation Date: Mar 23 07:55:20 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B16AE75C8B5865
Revocation Date: Apr 27 01:48:32 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B16B83977DA751
Revocation Date: Jun 9 08:02:37 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B16EB150AD7E36
Revocation Date: Apr 27 01:58:03 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B16F96784D3824
Revocation Date: Oct 30 05:04:50 2020 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B172FA931A5B74
Revocation Date: Mar 9 02:18:49 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B174E5DA7D6EEB
Revocation Date: Mar 9 02:39:02 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B15C4A1261748A504D172147A9CC
Revocation Date: Mar 15 02:00:51 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B15DEFDD158804EB5F278C825020
Revocation Date: Mar 15 02:24:34 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B175E35A273EBB6F5EEE02AD9DD8
Revocation Date: Mar 15 02:14:42 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Serial Number: 22B9B176817E3637C555F5C42D4C36BF
Revocation Date: Mar 15 02:34:57 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
Signature Algorithm: sha256WithRSAEncryption
c1:d4:3e:c6:0c:fd:99:fb:c1:c9:f7:67:95:bb:24:aa:d9:61:
ce:fa:f2:53:d4:4f:1b:e9:99:f8:00:5b:6c:3f:69:9a:21:dd:
a9:21:90:c7:50:bd:2a:4b:0f:0e:b2:82:05:c4:1b:66:1b:b1:
11:4c:8c:9a:1a:fb:e0:b4:90:df:63:0f:0b:1e:51:0d:d1:fb:
f1:5e:03:e3:f3:1c:97:b5:91:ce:4e:66:29:e4:ee:01:16:99:
57:e6:9a:bc:44:a0:a5:f3:80:53:03:bc:62:54:b3:64:1b:6c:
e7:ae:7a:ab:79:12:e3:8b:43:72:b2:1e:d0:ec:83:eb:aa:0c:
a1:20:83:9f:24:ef:99:f3:a9:a2:1c:03:7f:71:c9:00:27:b7:
6a:0d:fd:15:4c:e9:76:19:86:63:de:8a:fe:51:e3:76:9e:5f:
87:53:f6:ab:c5:82:26:75:8c:fe:db:3b:1a:b0:ac:04:17:63:
12:3e:ce:d5:e2:73:cc:67:47:2c:9c:d8:5f:b9:2d:43:05:12:
8e:00:77:fe:e3:b2:7f:90:4a:b0:db:39:55:00:63:d0:b2:b8:
4d:d5:e3:18:0c:7d:a0:8e:81:19:75:76:22:bf:0b:17:08:5c:
dc:55:bc:70:c9:c1:b4:d9:a5:82:3c:9c:84:05:27:21:3f:96:
98:5b:00:18
-----BEGIN X509 CRL-----
MIIGYjCCBUoCAQEwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCSlAxJTAjBgNV
BAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3Vy
aXR5IENvbW11bmljYXRpb24gUm9vdENBMhcNMjEwNDI3MDIwODA2WhcNMjIwNDI3
MDIwODA2WjCCBIUwIwIEIrmw1hcNMjAwNjA5MDc0NjQ0WjAMMAoGA1UdFQQDCgEF
MCgCCSK5sO12jXDtzhcNMjAxMTMwMDYxMzA0WjAMMAoGA1UdFQQDCgEFMCgCCSK5
sRT2x3k+oBcNMTcwNjIxMDYxMzMyWjAMMAoGA1UdFQQDCgEEMCgCCSK5sRidKLa6
MRcNMTcwOTA3MDc1ODM5WjAMMAoGA1UdFQQDCgEEMCgCCSK5sTHsDf8J/hcNMjEw
NDI3MDEzODI0WjAMMAoGA1UdFQQDCgEFMCgCCSK5sTry2eTzhhcNMjEwMzA5MDI1
NDEzWjAMMAoGA1UdFQQDCgEFMCgCCSK5sTztQEaEBRcNMjEwMzA5MDMwNzU3WjAM
MAoGA1UdFQQDCgEFMCgCCSK5sUg3E7mTthcNMTgwODIyMDYxMTA5WjAMMAoGA1Ud
FQQDCgEFMCgCCSK5sUk9hYco+RcNMTgwODIyMDYyMTIzWjAMMAoGA1UdFQQDCgEF
MCgCCSK5sUo6YR/Q2BcNMTgwODIyMDYzNzExWjAMMAoGA1UdFQQDCgEFMCgCCSK5
sUsbGgD2kxcNMTgwODIyMDY0NjM2WjAMMAoGA1UdFQQDCgEFMCgCCSK5sUzRgxoG
LRcNMTgwODIyMDY1NjA2WjAMMAoGA1UdFQQDCgEFMCgCCSK5sU5IbmntoBcNMjAw
NzA4MDkyNzEwWjAMMAoGA1UdFQQDCgEFMCgCCSK5sVqbj/VVcxcNMTkwNzIzMDgx
MzE0WjAMMAoGA1UdFQQDCgEEMCgCCSK5sWc5UnDz1hcNMjAxMDMwMDQ1MzQ2WjAM
MAoGA1UdFQQDCgEFMCgCCSK5sWiOdJTWYhcNMjAwMzIzMDc0NjEwWjAMMAoGA1Ud
FQQDCgEFMCgCCSK5sWnjzRvMIhcNMjAwMzIzMDc1NTIwWjAMMAoGA1UdFQQDCgEF
MCgCCSK5sWrnXItYZRcNMjEwNDI3MDE0ODMyWjAMMAoGA1UdFQQDCgEFMCgCCSK5
sWuDl32nURcNMjAwNjA5MDgwMjM3WjAMMAoGA1UdFQQDCgEFMCgCCSK5sW6xUK1+
NhcNMjEwNDI3MDE1ODAzWjAMMAoGA1UdFQQDCgEFMCgCCSK5sW+WeE04JBcNMjAx
MDMwMDUwNDUwWjAMMAoGA1UdFQQDCgEFMCgCCSK5sXL6kxpbdBcNMjEwMzA5MDIx
ODQ5WjAMMAoGA1UdFQQDCgEFMCgCCSK5sXTl2n1u6xcNMjEwMzA5MDIzOTAyWjAM
MAoGA1UdFQQDCgEFMC8CECK5sVxKEmF0ilBNFyFHqcwXDTIxMDMxNTAyMDA1MVow
DDAKBgNVHRUEAwoBBTAvAhAiubFd790ViATrXyeMglAgFw0yMTAzMTUwMjI0MzRa
MAwwCgYDVR0VBAMKAQUwLwIQIrmxdeNaJz67b17uAq2d2BcNMjEwMzE1MDIxNDQy
WjAMMAoGA1UdFQQDCgEFMC8CECK5sXaBfjY3xVX1xC1MNr8XDTIxMDMxNTAyMzQ1
N1owDDAKBgNVHRUEAwoBBaAwMC4wHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw4
8QrsPM8wCwYDVR0UBAQCAgCDMA0GCSqGSIb3DQEBCwUAA4IBAQDB1D7GDP2Z+8HJ
92eVuySq2WHO+vJT1E8b6Zn4AFtsP2maId2pIZDHUL0qSw8OsoIFxBtmG7ERTIya
GvvgtJDfYw8LHlEN0fvxXgPj8xyXtZHOTmYp5O4BFplX5pq8RKCl84BTA7xiVLNk
G2znrnqreRLji0Nysh7Q7IPrqgyhIIOfJO+Z86miHAN/cckAJ7dqDf0VTOl2GYZj
3or+UeN2nl+HU/arxYImdYz+2zsasKwEF2MSPs7V4nPMZ0csnNhfuS1DBRKOAHf+
47J/kEqw2zlVAGPQsrhN1eMYDH2gjoEZdXYivwsXCFzcVbxwycG02aWCPJyEBSch
P5aYWwAY
-----END X509 CRL-----
の通り
Serial Number:
22:b9:b1:31:ec:0d:ff:09:fe
に対して
Serial Number: 22B9B131EC0DFF09FE
Revocation Date: Apr 27 01:38:24 2021 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
のように失効が確認出来る状況。一応、Firefox の about:config では
☑ OCSP レスポンダーサーバーに問い合わせて証明書の現在の正統性を確認する
にちゃんとチェックが入ってるのだが、まさか CRL がまだ OCSP に反映されてないとかだろうか?
OCSP を手動で確認するにはどうするんだろう?
長らく Windows 10 で使っているので、何かしら変な設定をしている可能性もあるのではと思い、
Ubuntu 20.04.2 LTS Desktop の ISO で VirtualBox 上から試してもみたのだが、やはり素通りしてしまう。
一点気になる点と言えば、
このサーバー、ちょっと古いせいで TLS 1.0 止まりのため TLS 1.2 対応出来ておらず
Firefox では TLS 1.0/1.1 を有効にして表示してる点。
ひょっとして TLS 1.0/1.1 を有効にしてると CRL のチェック素通りするバグでもあるのでは?
って気もしたのだが、TLS 1.2 対応してるサーバーでも同様の症状を確認。駄目だこれ。
可能性としては、
- 中間証明書の CRL チェックが漏れてる
- OCSP に CRL が届いてない
- そもそも OCSP への問い合わせが出来てない(失敗している)
ひょっとして要 PROXY 環境なのも不安要素だが、何が原因だ!?
OpenSSL による OCSP の確認
SECOM の Security Communication RootCA2 証明書は以下から。
Firefox が中間証明書の失効確認忘れてるんじゃ???
あ、でも、office.com 相手だと
当該のサーバーだと
あと、-crl_download -crl_check で CRL が上手く拾えないのも気になる。
OpenSSL だけど PROXY 不要な環境でこうなるので、PROXY は関係なさそうな雰囲気だろうか?
$ wget https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer
$ openssl x509 -in SCRoot2ca.cer -inform DER > SCRoot2ca.cer.pem
$ openssl ocsp -issuer SCRoot2ca.cer.pem -url http://scrootca2.ocsp.secomtrust.net -serial 0x22b9b131ec0dff09fe -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0
Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF
Serial Number: 22B9B131EC0DFF09FE
Request Extensions:
OCSP Nonce:
0410978EFE3B5E4C1D208960234C9BF57624
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CC6AF09C573F367A3A9CF97DBC4215F4A59C4546
Produced At: May 7 08:17:24 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0
Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF
Serial Number: 22B9B131EC0DFF09FE
Cert Status: revoked
Revocation Time: Apr 27 01:38:24 2021 GMT
Revocation Reason: cessationOfOperation (0x5)
This Update: Apr 27 02:08:06 2021 GMT
Next Update: Jul 26 05:49:38 2021 GMT
Response Extensions:
OCSP Nonce:
0410978EFE3B5E4C1D208960234C9BF57624
Signature Algorithm: sha1WithRSAEncryption
90:55:5e:f0:bf:10:ad:d8:ba:62:aa:92:67:c9:78:0d:3e:d5:
0d:09:1e:3c:3b:9a:1c:ed:ed:56:01:4c:e8:07:a0:6b:89:c4:
66:0e:4c:5d:41:ea:85:9c:1c:62:7c:fa:f3:0c:16:2e:b8:d3:
55:70:45:2b:80:9c:b5:4b:8a:0d:b8:30:73:91:d8:f1:42:56:
ac:87:53:35:9a:eb:c5:aa:6c:22:36:21:44:47:38:c3:eb:58:
30:35:a2:cd:bc:bd:e4:41:d1:44:3e:2e:81:01:51:a3:c5:38:
5e:42:a3:a3:97:04:eb:4e:4c:b3:1a:42:0a:a6:93:38:7d:05:
ee:3c:d1:ae:f2:09:92:60:37:86:e2:48:39:3f:7e:a7:0c:6b:
b5:7b:4b:20:4f:e7:96:aa:82:63:7b:94:c5:05:bb:03:b4:e9:
b9:9c:92:2f:a7:47:c0:12:fa:16:ea:37:6c:3e:a7:cb:4f:df:
5b:4e:cf:69:9b:53:3b:32:ea:06:04:88:14:9a:52:a1:1f:95:
0c:d3:79:24:2f:12:e2:ff:bf:e3:b4:e3:26:03:1a:14:70:5e:
d1:b1:ff:10:8a:1c:d2:bd:58:e3:89:86:ea:12:98:b6:bd:2d:
33:1e:30:34:ea:2f:92:9e:43:8f:2a:42:5d:e1:ed:6f:3d:6d:
13:4d:9f:97
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:b9:b1:87:33:6b:46:e0:97
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2
Validity
Not Before: Mar 24 05:49:38 2021 GMT
Not After : Jul 26 05:49:38 2021 GMT
Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA2 OCSP Responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a1:a7:7e:d7:af:a6:e5:7d:af:5c:be:9a:26:77:
f3:d4:98:18:0f:ef:72:79:f0:54:be:52:98:00:ab:
53:c8:b3:5f:f0:ff:f5:46:4e:4f:c8:fe:ab:c5:12:
47:1c:c7:d3:70:45:3f:fb:56:29:41:d1:cb:db:21:
78:5d:24:38:d2:32:65:30:65:2b:99:06:fa:b6:16:
07:a9:70:6f:a3:3a:8b:9a:c9:cc:13:9c:9f:01:14:
de:e9:1d:ff:2f:ef:c0:2a:2d:f7:df:51:ec:90:9e:
95:4b:53:d6:21:e0:54:d5:c9:df:b7:57:bb:a5:90:
50:88:02:dc:6a:55:62:f7:19:8d:2e:54:c7:0a:c6:
de:dc:7d:f7:d5:7b:f1:4f:85:6c:30:94:d5:e9:62:
fb:e2:a3:18:92:eb:c8:89:0e:e6:b3:41:40:95:56:
ba:48:14:8a:42:7f:aa:a9:4b:fc:5d:d7:30:bc:2c:
f8:f7:e4:07:9c:83:4c:2c:c1:17:33:b7:24:c5:ef:
3f:a1:b3:ec:bd:fa:ba:8e:be:3b:d9:68:04:1e:87:
42:16:55:19:bb:eb:06:69:2d:98:49:25:86:25:22:
63:b4:81:86:30:58:fd:8d:89:bd:0c:71:d3:23:00:
56:6d:07:be:ac:69:36:28:11:ae:b3:25:e3:ce:12:
da:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Certificate Policies:
Policy: 1.2.392.200091.100.901.4
CPS: https://repository.secomtrust.net/SC-Root2/
OCSP No Check:
X509v3 Authority Key Identifier:
keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF
X509v3 Subject Key Identifier:
CC:6A:F0:9C:57:3F:36:7A:3A:9C:F9:7D:BC:42:15:F4:A5:9C:45:46
Signature Algorithm: sha256WithRSAEncryption
55:4c:4e:c7:8b:64:38:4d:89:8a:63:1e:f8:57:b5:00:fa:ce:
ed:73:df:90:f7:39:b2:ce:a4:d5:c9:e6:60:05:e6:85:ba:ce:
94:89:ae:d5:01:67:72:4b:de:27:37:c1:3d:7a:99:6f:aa:48:
17:7d:32:46:21:8c:a4:65:97:ae:a4:0b:50:11:d0:45:3e:a6:
8c:dd:43:a7:4d:81:12:56:15:5c:16:16:93:b0:6e:48:91:d3:
eb:38:3a:89:1a:70:9b:c3:23:f0:fa:c4:b4:06:71:3f:22:4b:
0d:2b:ac:36:7a:1d:97:b1:b7:93:16:34:21:97:39:46:14:3f:
54:a6:98:b0:d0:c5:07:25:c2:29:13:8c:0a:25:c3:9e:bd:63:
5d:d5:60:cf:1e:8a:b4:62:64:73:5f:22:06:cb:cf:7f:8f:a1:
a5:9c:1d:ce:f0:f4:9a:5e:b5:b9:30:91:a9:a4:6a:d1:8e:ef:
b0:af:f0:57:8f:1d:8f:ac:3c:ea:dc:de:f9:e4:92:bd:0c:e2:
0b:9c:60:98:96:0a:d4:ce:98:bf:7d:90:9c:44:1e:ac:eb:db:
9f:cf:f7:fb:e0:1c:55:ba:b9:e0:dd:95:a5:47:d1:94:59:8e:
ed:ee:00:59:29:da:f3:bb:6c:23:fb:b2:a7:e2:3c:6c:44:08:
6b:2b:ab:90
-----BEGIN CERTIFICATE-----
MIIEGjCCAwKgAwIBAgIJIrmxhzNrRuCXMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMjEwMzI0
MDU0OTM4WhcNMjEwNzI2MDU0OTM4WjBsMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjE2MDQGA1UEAxMtU2VjdXJpdHkg
Q29tbXVuaWNhdGlvbiBSb290Q0EyIE9DU1AgUmVzcG9uZGVyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoad+16+m5X2vXL6aJnfz1JgYD+9yefBUvlKY
AKtTyLNf8P/1Rk5PyP6rxRJHHMfTcEU/+1YpQdHL2yF4XSQ40jJlMGUrmQb6thYH
qXBvozqLmsnME5yfARTe6R3/L+/AKi3331HskJ6VS1PWIeBU1cnft1e7pZBQiALc
alVi9xmNLlTHCsbe3H331XvxT4VsMJTV6WL74qMYkuvIiQ7ms0FAlVa6SBSKQn+q
qUv8XdcwvCz49+QHnINMLMEXM7ckxe8/obPsvfq6jr472WgEHodCFlUZu+sGaS2Y
SSWGJSJjtIGGMFj9jYm9DHHTIwBWbQe+rGk2KBGusyXjzhLawwIDAQABo4HNMIHK
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDCTBSBgNVHSAESzBJ
MEcGCiqDCIybG2SHBQQwOTA3BggrBgEFBQcCARYraHR0cHM6Ly9yZXBvc2l0b3J5
LnNlY29tdHJ1c3QubmV0L1NDLVJvb3QyLzAPBgkrBgEFBQcwAQUEAgUAMB8GA1Ud
IwQYMBaAFAqFqXdlBZh8QIH4D5csOPEK7DzPMB0GA1UdDgQWBBTMavCcVz82ejqc
+X28QhX0pZxFRjANBgkqhkiG9w0BAQsFAAOCAQEAVUxOx4tkOE2JimMe+Fe1APrO
7XPfkPc5ss6k1cnmYAXmhbrOlImu1QFnckveJzfBPXqZb6pIF30yRiGMpGWXrqQL
UBHQRT6mjN1Dp02BElYVXBYWk7BuSJHT6zg6iRpwm8Mj8PrEtAZxPyJLDSusNnod
l7G3kxY0IZc5RhQ/VKaYsNDFByXCKROMCiXDnr1jXdVgzx6KtGJkc18iBsvPf4+h
pZwdzvD0ml61uTCRqaRq0Y7vsK/wV48dj6w86tze+eSSvQziC5xgmJYK1M6Yv32Q
nEQerOvbn8/3++AcVbq54N2VpUfRlFmO7e4AWSna87tsI/uyp+I8bEQIayurkA==
-----END CERTIFICATE-----
Response verify OK
0x22b9b131ec0dff09fe: revoked
This Update: Apr 27 02:08:06 2021 GMT
Next Update: Jul 26 05:49:38 2021 GMT
Reason: cessationOfOperation
Revocation Time: Apr 27 01:38:24 2021 GMT
中間証明書、ちゃんと OCSP で revoked されとるよFirefox が中間証明書の失効確認忘れてるんじゃ???
あ、でも、office.com 相手だと
$ openssl s_client -connect www.office.com:https -status
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7
Produced At: May 2 01:36:37 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48B6A9E21293B3C020B12ACE4E73649A3C67DC9B
Issuer Key Hash: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7
Serial Number: 0D486A2CD4B144AB2CD103C09BD97DD4
Cert Status: good
This Update: May 2 01:21:01 2021 GMT
Next Update: May 9 00:36:01 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
a2:40:1e:24:82:d3:c0:01:f9:12:a9:0e:66:79:ab:a6:6e:8b:
f1:3e:0f:fa:e5:61:f2:8d:23:0c:c4:ab:e7:58:d5:30:ea:8f:
a3:23:62:99:27:64:21:d0:67:6b:3a:44:e7:fe:71:7c:54:ef:
c1:00:c1:ae:31:34:36:ee:5a:77:15:21:aa:2f:26:ee:a9:db:
65:f1:ec:a0:de:f5:c8:8c:1f:ca:69:82:d7:23:6d:0a:19:7a:
ec:76:f6:7c:cf:df:9f:5d:04:a9:8e:d5:8b:ac:f5:53:61:7f:
c9:f3:5c:a7:71:08:4c:3c:c6:7e:17:04:2a:b8:74:ee:51:90:
7b:25:f8:bb:0d:d8:cb:5a:99:7e:e9:ea:dc:16:50:d7:ae:5a:
e8:68:3b:bf:bd:96:ed:bd:51:36:2f:a0:e2:32:53:2b:74:4b:
9d:a4:bb:1d:09:37:d7:cc:9f:55:a1:71:9b:dc:aa:88:23:a3:
92:e2:66:af:99:82:eb:6f:4a:b7:c6:ea:d4:72:29:b0:09:31:
ec:94:29:01:80:57:2f:01:4c:9f:2f:46:7c:fa:45:05:df:e8:
e6:a4:66:df:98:b4:9c:e6:81:51:99:3c:1b:0f:66:bc:61:29:
c8:64:f6:ee:19:1d:42:af:9a:18:c7:9d:46:5b:9c:ad:da:7e:
0b:f5:ac:d3
======================================
---
Certificate chain
0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIEzCCBvugAwIBAgIQDUhqLNSxRKss0QPAm9l91DANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTIxMDMyNDAwMDAwMFoXDTIy
MDMyMzIzNTk1OVowcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEaMBgGA1UEAxMRcG9ydGFsLm9mZmljZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC2zIwF2pj0PNL2yfMSXTkA66mS5U+ru29uL92gzbyLezJK
LrHD1vfBuwOWZwnZ/f4p70+Zsx8HpoLPS5UNgQXPlGFe0Xbz7ZeSjSCFPYi5mSsB
JaEs9YJHROxBKuc/WoMqrD9DeG1+jBq5PV+QKDkA83dgR3Vqbt4IWFsG+tYcKhYf
xFqD9ybkFh6wGFgeM6yQ34lodFSCkvgxx7b7kPmqDb16AjMtorBRPzTJxokfgEdP
YKbBsZYjzyEe+4dlnJo81RISrYzV8zcYLmHzWrYRnWgVSejP4wcMh2Hh+WgtdDWC
X9YtJivtZ153XfQMiwCqkcjOQ+WCLUBQYE0EtjC1AgMBAAGjggTMMIIEyDAfBgNV
HSMEGDAWgBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUzIliUyzdXGOJ
h96w0OiGfRCLeM0wggHxBgNVHREEggHoMIIB5IIRcG9ydGFsLm9mZmljZS5jb22C
GnBvcnRhbC5taWNyb3NvZnRvbmxpbmUuY29tgh1wb3J0YWxwcnYubWljcm9zb2Z0
b25saW5lLmNvbYIXbmN1cG9ydGFscHJ2Lm9mZmljZS5jb22CCm9mZmljZS5jb22C
FHBvcnRhbC5taWNyb3NvZnQuY29tgg9ob21lLm9mZmljZS5jb22CFXBvcnRhbC1z
ZGYub2ZmaWNlLmNvbYIPcHJvZC5tc29jZG4uY29tgg53d3cub2ZmaWNlLmNvbYIT
Ki5wb3J0YWwub2ZmaWNlLmNvbYIQKi53d3cub2ZmaWNlLmNvbYITYWRtaW4ubWlj
cm9zb2Z0LmNvbYIWYWRtaW4ubWljcm9zb2Z0MzY1LmNvbYIUd3d3Lm1pY3Jvc29m
dDM2NS5jb22CEm50cC53d3cub2ZmaWNlLmNvbYIQZmx1aWQub2ZmaWNlLmNvbYIQ
bWljcm9zb2Z0MzY1LmNvbYIPd29yZC5vZmZpY2UuY29tghBleGNlbC5vZmZpY2Uu
Y29tghVwb3dlcnBvaW50Lm9mZmljZS5jb22CEHZpc2lvLm9mZmljZS5jb22CD2Fw
cHMub2ZmaWNlLmNvbYIRc3RyZWFtLm9mZmljZS5jb20wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYDVR0fBIGFMIGCMD+g
PaA7hjlodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZp
Y2VzQ0EtMS1nMS5jcmwwP6A9oDuGOWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydENsb3VkU2VydmljZXNDQS0xLWcxLmNybDA+BgNVHSAENzA1MDMGBmeB
DAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
fAYIKwYBBQUHAQEEcDBuMCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcHguZGlnaWNl
cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRDbG91ZFNlcnZpY2VzQ0EtMS5jcnQwDAYDVR0TAQH/BAIwADCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB1AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr
8vxw/m1HAAABeGWEv4oAAAQDAEYwRAIgKefbuWTfsJtUVS9YBj2yb/9iOWZrGrjY
VBAIIsI7TuECIAK6f961j7dEbveljI/A6QmcPgoFlRi11Ws+qmwoncGTAHcAIkVF
B1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaDXG7iDwIAAAF4ZYS/mQAABAMASDBGAiEA
2pHCVkkvWdaolS05t2P98uXcr7arYr61fgQvOkShMB4CIQD5Y/fOgxT5z1WCtxjR
i1WUwD02Sif8imenA0KgOaFrwDANBgkqhkiG9w0BAQsFAAOCAQEACddAInGH7mlB
vhYJ/92NHEpws4zkv0C6DV/9WSiqVee1FFzwIAUt5BOQPjkr88G761fu1I784ib0
Evs79QDeZAsJWVdii8cNxAm0C+1lzaEa90GszyGf690YHegi4gUVTk8fQc0cvzfy
XtRgGpdM5aoEjcXkEFd9uZx6tf3Q4YfuOlsAiFYDLeSJRFFB2w9cDUUL7yDbGjvF
nHZZwg0ACko5dz62ew/+gjJ3n9ZdYR7QX9E/teVRDAFu5YavaUE/fj89uqGWSc35
kvLAx7Lx61ud0RnnfaMWrhjrMVNum3P4hGVBmfO5gdsB10HQ5wvuHWnPS/uv8+ky
xHFwmQ374Q==
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4614 bytes and written 473 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2A2525C748FFD2562ECF8D905F2A5A72E1F8158DE8CF1043A2A872C69749D8E6
Session-ID-ctx:
Master-Key: 322BAE003621CFCF503C3F789F7C82F9A66E90663E7084382F954B179D7BCA8785707D97FAFA384FEE40A60555796B4C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - 00 00 00 00 d6 01 45 17-22 ed 28 40 bd a5 3e 93 ......E.".(@..>.
0010 - 4c 90 8b b8 db 75 54 06-27 3b 18 78 9b 94 c2 37 L....uT.';.x...7
0020 - 8c 10 72 35 1a 0d c3 32-5d 44 d7 e9 7d 3f df 17 ..r5...2]D..}?..
0030 - be 58 84 2b 5a 69 29 ee-89 6c ab e1 23 7b ae 96 .X.+Zi)..l..#{..
0040 - 3d 14 7b ce 0b 52 fb b9-0b 50 84 1a 0f a3 2e d1 =.{..R...P......
0050 - 11 e4 d2 3a e7 01 43 03-aa 23 f8 90 d3 95 b8 ab ...:..C..#......
0060 - 3e b2 f7 4e c5 2c 72 fb-1b 63 2a 70 c5 87 9e e0 >..N.,r..c*p....
0070 - ef af cb ef ab 8e 9f f4-18 a0 8f 33 25 6d d4 d7 ...........3%m..
0080 - 2e 33 4a f9 59 7f ba 4c-10 5c 19 c2 ae 22 64 20 .3J.Y..L.\..."d
0090 - 6d 75 ed 76 9f 62 3c e1-3c 6f 89 05 e4 2c 8b c3 mu.v.b<.<o...,..
00a0 - b9 d0 a9 c7 73 5f 45 75-82 b9 04 1e 1c 66 c6 81 ....s_Eu.....f..
00b0 - d9 ab fa 6e ac 58 ee 3a-c5 ed da 2f d9 28 18 c3 ...n.X.:.../.(..
00c0 - 27 c1 80 fb 6f bc 78 1b-29 0b 31 ca 7a c9 e2 8c '...o.x.).1.z...
00d0 - fc 0f f7 db 0b 67 87 65-fc d8 e2 da 60 d1 19 81 .....g.e....`...
00e0 - 50 08 d9 0a cc 3d 95 ae-12 43 77 6a 44 cb a4 29 P....=...CwjD..)
00f0 - ce 57 b4 c2 df 1d 3e f7-fe c0 6c 2b c0 33 20 a5 .W....>...l+.3 .
0100 - 89 3a de 3d .:.=
Start Time: 1620376540
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
みたいに OCSP response 返って来るけど当該のサーバーだと
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status CONNECTED(00000005) depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 verify return:1 depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5 verify return:1 depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify return:1 OCSP response: no response sent --- Certificate chain ...みたいに OCSP response が返ってかなったりするので、実は OCSP の実装に問題あって、http://scrootca2.ocsp.secomtrust.net から上手く拾えてないって可能性も?
あと、-crl_download -crl_check で CRL が上手く拾えないのも気になる。
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status -crl_download -crl_check CONNECTED(00000005) Error loading CRL from http://repo1.secomtrust.net/sppca/nii/odca3/fullcrlg5.crl depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify error:num=3:unable to get certificate CRL verify return:1 depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 verify return:1 depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5 verify return:1 depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp verify return:1 OCSP response: no response sent --- Certificate chain ...なぜだ?
OpenSSL だけど PROXY 不要な環境でこうなるので、PROXY は関係なさそうな雰囲気だろうか?
参考
- Google: "Error loading CRL from" openssl s_client "-crl_download"
- GitHub / openssl / openssl / issue / verify -crl_download -crl_check fails without useful error message #8581
- Google: OCSP
- IETF / Documents / RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
- IPA / 情報セキュリティ / RFC 2560 X.509インターネット PKIオンライン証明書状態プロトコル(OCSP)
- Google: OCSP curl
- UNMITIGATED RISK / 2012-03-20: [[How to do OCSP requests using OpenSSL and CURL
- Qiita / thetsuthetsu / 2018-11-23: OCSP Stapingの調査
- Google: openssl ocsp
- zkat’s diary / 2018-10-29: OCSPによる証明書検証をopensslコマンド実行する
タグ
コメントをかく