SECOM の Security Communication RootCA2 証明書は以下から。
$ wget https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer
$ openssl x509 -in SCRoot2ca.cer -inform DER > SCRoot2ca.cer.pem
$ openssl ocsp -issuer SCRoot2ca.cer.pem -url http://scrootca2.ocsp.secomtrust.net -serial 0x22b9b131ec0dff09fe -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0
Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF
Serial Number: 22B9B131EC0DFF09FE
Request Extensions:
OCSP Nonce:
0410978EFE3B5E4C1D208960234C9BF57624
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CC6AF09C573F367A3A9CF97DBC4215F4A59C4546
Produced At: May 7 08:17:24 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F20EF3E3718F19D130D9CC7A2DC303161CB29CD0
Issuer Key Hash: 0A85A9776505987C4081F80F972C38F10AEC3CCF
Serial Number: 22B9B131EC0DFF09FE
Cert Status: revoked
Revocation Time: Apr 27 01:38:24 2021 GMT
Revocation Reason: cessationOfOperation (0x5)
This Update: Apr 27 02:08:06 2021 GMT
Next Update: Jul 26 05:49:38 2021 GMT
Response Extensions:
OCSP Nonce:
0410978EFE3B5E4C1D208960234C9BF57624
Signature Algorithm: sha1WithRSAEncryption
90:55:5e:f0:bf:10:ad:d8:ba:62:aa:92:67:c9:78:0d:3e:d5:
0d:09:1e:3c:3b:9a:1c:ed:ed:56:01:4c:e8:07:a0:6b:89:c4:
66:0e:4c:5d:41:ea:85:9c:1c:62:7c:fa:f3:0c:16:2e:b8:d3:
55:70:45:2b:80:9c:b5:4b:8a:0d:b8:30:73:91:d8:f1:42:56:
ac:87:53:35:9a:eb:c5:aa:6c:22:36:21:44:47:38:c3:eb:58:
30:35:a2:cd:bc:bd:e4:41:d1:44:3e:2e:81:01:51:a3:c5:38:
5e:42:a3:a3:97:04:eb:4e:4c:b3:1a:42:0a:a6:93:38:7d:05:
ee:3c:d1:ae:f2:09:92:60:37:86:e2:48:39:3f:7e:a7:0c:6b:
b5:7b:4b:20:4f:e7:96:aa:82:63:7b:94:c5:05:bb:03:b4:e9:
b9:9c:92:2f:a7:47:c0:12:fa:16:ea:37:6c:3e:a7:cb:4f:df:
5b:4e:cf:69:9b:53:3b:32:ea:06:04:88:14:9a:52:a1:1f:95:
0c:d3:79:24:2f:12:e2:ff:bf:e3:b4:e3:26:03:1a:14:70:5e:
d1:b1:ff:10:8a:1c:d2:bd:58:e3:89:86:ea:12:98:b6:bd:2d:
33:1e:30:34:ea:2f:92:9e:43:8f:2a:42:5d:e1:ed:6f:3d:6d:
13:4d:9f:97
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:b9:b1:87:33:6b:46:e0:97
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2
Validity
Not Before: Mar 24 05:49:38 2021 GMT
Not After : Jul 26 05:49:38 2021 GMT
Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA2 OCSP Responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a1:a7:7e:d7:af:a6:e5:7d:af:5c:be:9a:26:77:
f3:d4:98:18:0f:ef:72:79:f0:54:be:52:98:00:ab:
53:c8:b3:5f:f0:ff:f5:46:4e:4f:c8:fe:ab:c5:12:
47:1c:c7:d3:70:45:3f:fb:56:29:41:d1:cb:db:21:
78:5d:24:38:d2:32:65:30:65:2b:99:06:fa:b6:16:
07:a9:70:6f:a3:3a:8b:9a:c9:cc:13:9c:9f:01:14:
de:e9:1d:ff:2f:ef:c0:2a:2d:f7:df:51:ec:90:9e:
95:4b:53:d6:21:e0:54:d5:c9:df:b7:57:bb:a5:90:
50:88:02:dc:6a:55:62:f7:19:8d:2e:54:c7:0a:c6:
de:dc:7d:f7:d5:7b:f1:4f:85:6c:30:94:d5:e9:62:
fb:e2:a3:18:92:eb:c8:89:0e:e6:b3:41:40:95:56:
ba:48:14:8a:42:7f:aa:a9:4b:fc:5d:d7:30:bc:2c:
f8:f7:e4:07:9c:83:4c:2c:c1:17:33:b7:24:c5:ef:
3f:a1:b3:ec:bd:fa:ba:8e:be:3b:d9:68:04:1e:87:
42:16:55:19:bb:eb:06:69:2d:98:49:25:86:25:22:
63:b4:81:86:30:58:fd:8d:89:bd:0c:71:d3:23:00:
56:6d:07:be:ac:69:36:28:11:ae:b3:25:e3:ce:12:
da:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Certificate Policies:
Policy: 1.2.392.200091.100.901.4
CPS: https://repository.secomtrust.net/SC-Root2/
OCSP No Check:
X509v3 Authority Key Identifier:
keyid:0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF
X509v3 Subject Key Identifier:
CC:6A:F0:9C:57:3F:36:7A:3A:9C:F9:7D:BC:42:15:F4:A5:9C:45:46
Signature Algorithm: sha256WithRSAEncryption
55:4c:4e:c7:8b:64:38:4d:89:8a:63:1e:f8:57:b5:00:fa:ce:
ed:73:df:90:f7:39:b2:ce:a4:d5:c9:e6:60:05:e6:85:ba:ce:
94:89:ae:d5:01:67:72:4b:de:27:37:c1:3d:7a:99:6f:aa:48:
17:7d:32:46:21:8c:a4:65:97:ae:a4:0b:50:11:d0:45:3e:a6:
8c:dd:43:a7:4d:81:12:56:15:5c:16:16:93:b0:6e:48:91:d3:
eb:38:3a:89:1a:70:9b:c3:23:f0:fa:c4:b4:06:71:3f:22:4b:
0d:2b:ac:36:7a:1d:97:b1:b7:93:16:34:21:97:39:46:14:3f:
54:a6:98:b0:d0:c5:07:25:c2:29:13:8c:0a:25:c3:9e:bd:63:
5d:d5:60:cf:1e:8a:b4:62:64:73:5f:22:06:cb:cf:7f:8f:a1:
a5:9c:1d:ce:f0:f4:9a:5e:b5:b9:30:91:a9:a4:6a:d1:8e:ef:
b0:af:f0:57:8f:1d:8f:ac:3c:ea:dc:de:f9:e4:92:bd:0c:e2:
0b:9c:60:98:96:0a:d4:ce:98:bf:7d:90:9c:44:1e:ac:eb:db:
9f:cf:f7:fb:e0:1c:55:ba:b9:e0:dd:95:a5:47:d1:94:59:8e:
ed:ee:00:59:29:da:f3:bb:6c:23:fb:b2:a7:e2:3c:6c:44:08:
6b:2b:ab:90
-----BEGIN CERTIFICATE-----
MIIEGjCCAwKgAwIBAgIJIrmxhzNrRuCXMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMjEwMzI0
MDU0OTM4WhcNMjEwNzI2MDU0OTM4WjBsMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjE2MDQGA1UEAxMtU2VjdXJpdHkg
Q29tbXVuaWNhdGlvbiBSb290Q0EyIE9DU1AgUmVzcG9uZGVyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoad+16+m5X2vXL6aJnfz1JgYD+9yefBUvlKY
AKtTyLNf8P/1Rk5PyP6rxRJHHMfTcEU/+1YpQdHL2yF4XSQ40jJlMGUrmQb6thYH
qXBvozqLmsnME5yfARTe6R3/L+/AKi3331HskJ6VS1PWIeBU1cnft1e7pZBQiALc
alVi9xmNLlTHCsbe3H331XvxT4VsMJTV6WL74qMYkuvIiQ7ms0FAlVa6SBSKQn+q
qUv8XdcwvCz49+QHnINMLMEXM7ckxe8/obPsvfq6jr472WgEHodCFlUZu+sGaS2Y
SSWGJSJjtIGGMFj9jYm9DHHTIwBWbQe+rGk2KBGusyXjzhLawwIDAQABo4HNMIHK
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDCTBSBgNVHSAESzBJ
MEcGCiqDCIybG2SHBQQwOTA3BggrBgEFBQcCARYraHR0cHM6Ly9yZXBvc2l0b3J5
LnNlY29tdHJ1c3QubmV0L1NDLVJvb3QyLzAPBgkrBgEFBQcwAQUEAgUAMB8GA1Ud
IwQYMBaAFAqFqXdlBZh8QIH4D5csOPEK7DzPMB0GA1UdDgQWBBTMavCcVz82ejqc
+X28QhX0pZxFRjANBgkqhkiG9w0BAQsFAAOCAQEAVUxOx4tkOE2JimMe+Fe1APrO
7XPfkPc5ss6k1cnmYAXmhbrOlImu1QFnckveJzfBPXqZb6pIF30yRiGMpGWXrqQL
UBHQRT6mjN1Dp02BElYVXBYWk7BuSJHT6zg6iRpwm8Mj8PrEtAZxPyJLDSusNnod
l7G3kxY0IZc5RhQ/VKaYsNDFByXCKROMCiXDnr1jXdVgzx6KtGJkc18iBsvPf4+h
pZwdzvD0ml61uTCRqaRq0Y7vsK/wV48dj6w86tze+eSSvQziC5xgmJYK1M6Yv32Q
nEQerOvbn8/3++AcVbq54N2VpUfRlFmO7e4AWSna87tsI/uyp+I8bEQIayurkA==
-----END CERTIFICATE-----
Response verify OK
0x22b9b131ec0dff09fe: revoked
This Update: Apr 27 02:08:06 2021 GMT
Next Update: Jul 26 05:49:38 2021 GMT
Reason: cessationOfOperation
Revocation Time: Apr 27 01:38:24 2021 GMT
中間証明書、ちゃんと OCSP で revoked されとるよ
Firefox が中間証明書の失効確認忘れてるんじゃ???
あ、でも、office.com 相手だと
$ openssl s_client -connect www.office.com:https -status
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7
Produced At: May 2 01:36:37 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48B6A9E21293B3C020B12ACE4E73649A3C67DC9B
Issuer Key Hash: DD51D0A23173A973AE8FB4017E5D8C57CB9FF0F7
Serial Number: 0D486A2CD4B144AB2CD103C09BD97DD4
Cert Status: good
This Update: May 2 01:21:01 2021 GMT
Next Update: May 9 00:36:01 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
a2:40:1e:24:82:d3:c0:01:f9:12:a9:0e:66:79:ab:a6:6e:8b:
f1:3e:0f:fa:e5:61:f2:8d:23:0c:c4:ab:e7:58:d5:30:ea:8f:
a3:23:62:99:27:64:21:d0:67:6b:3a:44:e7:fe:71:7c:54:ef:
c1:00:c1:ae:31:34:36:ee:5a:77:15:21:aa:2f:26:ee:a9:db:
65:f1:ec:a0:de:f5:c8:8c:1f:ca:69:82:d7:23:6d:0a:19:7a:
ec:76:f6:7c:cf:df:9f:5d:04:a9:8e:d5:8b:ac:f5:53:61:7f:
c9:f3:5c:a7:71:08:4c:3c:c6:7e:17:04:2a:b8:74:ee:51:90:
7b:25:f8:bb:0d:d8:cb:5a:99:7e:e9:ea:dc:16:50:d7:ae:5a:
e8:68:3b:bf:bd:96:ed:bd:51:36:2f:a0:e2:32:53:2b:74:4b:
9d:a4:bb:1d:09:37:d7:cc:9f:55:a1:71:9b:dc:aa:88:23:a3:
92:e2:66:af:99:82:eb:6f:4a:b7:c6:ea:d4:72:29:b0:09:31:
ec:94:29:01:80:57:2f:01:4c:9f:2f:46:7c:fa:45:05:df:e8:
e6:a4:66:df:98:b4:9c:e6:81:51:99:3c:1b:0f:66:bc:61:29:
c8:64:f6:ee:19:1d:42:af:9a:18:c7:9d:46:5b:9c:ad:da:7e:
0b:f5:ac:d3
======================================
---
Certificate chain
0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIEzCCBvugAwIBAgIQDUhqLNSxRKss0QPAm9l91DANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTIxMDMyNDAwMDAwMFoXDTIy
MDMyMzIzNTk1OVowcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEaMBgGA1UEAxMRcG9ydGFsLm9mZmljZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC2zIwF2pj0PNL2yfMSXTkA66mS5U+ru29uL92gzbyLezJK
LrHD1vfBuwOWZwnZ/f4p70+Zsx8HpoLPS5UNgQXPlGFe0Xbz7ZeSjSCFPYi5mSsB
JaEs9YJHROxBKuc/WoMqrD9DeG1+jBq5PV+QKDkA83dgR3Vqbt4IWFsG+tYcKhYf
xFqD9ybkFh6wGFgeM6yQ34lodFSCkvgxx7b7kPmqDb16AjMtorBRPzTJxokfgEdP
YKbBsZYjzyEe+4dlnJo81RISrYzV8zcYLmHzWrYRnWgVSejP4wcMh2Hh+WgtdDWC
X9YtJivtZ153XfQMiwCqkcjOQ+WCLUBQYE0EtjC1AgMBAAGjggTMMIIEyDAfBgNV
HSMEGDAWgBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUzIliUyzdXGOJ
h96w0OiGfRCLeM0wggHxBgNVHREEggHoMIIB5IIRcG9ydGFsLm9mZmljZS5jb22C
GnBvcnRhbC5taWNyb3NvZnRvbmxpbmUuY29tgh1wb3J0YWxwcnYubWljcm9zb2Z0
b25saW5lLmNvbYIXbmN1cG9ydGFscHJ2Lm9mZmljZS5jb22CCm9mZmljZS5jb22C
FHBvcnRhbC5taWNyb3NvZnQuY29tgg9ob21lLm9mZmljZS5jb22CFXBvcnRhbC1z
ZGYub2ZmaWNlLmNvbYIPcHJvZC5tc29jZG4uY29tgg53d3cub2ZmaWNlLmNvbYIT
Ki5wb3J0YWwub2ZmaWNlLmNvbYIQKi53d3cub2ZmaWNlLmNvbYITYWRtaW4ubWlj
cm9zb2Z0LmNvbYIWYWRtaW4ubWljcm9zb2Z0MzY1LmNvbYIUd3d3Lm1pY3Jvc29m
dDM2NS5jb22CEm50cC53d3cub2ZmaWNlLmNvbYIQZmx1aWQub2ZmaWNlLmNvbYIQ
bWljcm9zb2Z0MzY1LmNvbYIPd29yZC5vZmZpY2UuY29tghBleGNlbC5vZmZpY2Uu
Y29tghVwb3dlcnBvaW50Lm9mZmljZS5jb22CEHZpc2lvLm9mZmljZS5jb22CD2Fw
cHMub2ZmaWNlLmNvbYIRc3RyZWFtLm9mZmljZS5jb20wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYDVR0fBIGFMIGCMD+g
PaA7hjlodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZp
Y2VzQ0EtMS1nMS5jcmwwP6A9oDuGOWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydENsb3VkU2VydmljZXNDQS0xLWcxLmNybDA+BgNVHSAENzA1MDMGBmeB
DAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
fAYIKwYBBQUHAQEEcDBuMCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcHguZGlnaWNl
cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRDbG91ZFNlcnZpY2VzQ0EtMS5jcnQwDAYDVR0TAQH/BAIwADCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB1AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr
8vxw/m1HAAABeGWEv4oAAAQDAEYwRAIgKefbuWTfsJtUVS9YBj2yb/9iOWZrGrjY
VBAIIsI7TuECIAK6f961j7dEbveljI/A6QmcPgoFlRi11Ws+qmwoncGTAHcAIkVF
B1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaDXG7iDwIAAAF4ZYS/mQAABAMASDBGAiEA
2pHCVkkvWdaolS05t2P98uXcr7arYr61fgQvOkShMB4CIQD5Y/fOgxT5z1WCtxjR
i1WUwD02Sif8imenA0KgOaFrwDANBgkqhkiG9w0BAQsFAAOCAQEACddAInGH7mlB
vhYJ/92NHEpws4zkv0C6DV/9WSiqVee1FFzwIAUt5BOQPjkr88G761fu1I784ib0
Evs79QDeZAsJWVdii8cNxAm0C+1lzaEa90GszyGf690YHegi4gUVTk8fQc0cvzfy
XtRgGpdM5aoEjcXkEFd9uZx6tf3Q4YfuOlsAiFYDLeSJRFFB2w9cDUUL7yDbGjvF
nHZZwg0ACko5dz62ew/+gjJ3n9ZdYR7QX9E/teVRDAFu5YavaUE/fj89uqGWSc35
kvLAx7Lx61ud0RnnfaMWrhjrMVNum3P4hGVBmfO5gdsB10HQ5wvuHWnPS/uv8+ky
xHFwmQ374Q==
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = portal.office.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4614 bytes and written 473 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2A2525C748FFD2562ECF8D905F2A5A72E1F8158DE8CF1043A2A872C69749D8E6
Session-ID-ctx:
Master-Key: 322BAE003621CFCF503C3F789F7C82F9A66E90663E7084382F954B179D7BCA8785707D97FAFA384FEE40A60555796B4C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - 00 00 00 00 d6 01 45 17-22 ed 28 40 bd a5 3e 93 ......E.".(@..>.
0010 - 4c 90 8b b8 db 75 54 06-27 3b 18 78 9b 94 c2 37 L....uT.';.x...7
0020 - 8c 10 72 35 1a 0d c3 32-5d 44 d7 e9 7d 3f df 17 ..r5...2]D..}?..
0030 - be 58 84 2b 5a 69 29 ee-89 6c ab e1 23 7b ae 96 .X.+Zi)..l..#{..
0040 - 3d 14 7b ce 0b 52 fb b9-0b 50 84 1a 0f a3 2e d1 =.{..R...P......
0050 - 11 e4 d2 3a e7 01 43 03-aa 23 f8 90 d3 95 b8 ab ...:..C..#......
0060 - 3e b2 f7 4e c5 2c 72 fb-1b 63 2a 70 c5 87 9e e0 >..N.,r..c*p....
0070 - ef af cb ef ab 8e 9f f4-18 a0 8f 33 25 6d d4 d7 ...........3%m..
0080 - 2e 33 4a f9 59 7f ba 4c-10 5c 19 c2 ae 22 64 20 .3J.Y..L.\..."d
0090 - 6d 75 ed 76 9f 62 3c e1-3c 6f 89 05 e4 2c 8b c3 mu.v.b<.<o...,..
00a0 - b9 d0 a9 c7 73 5f 45 75-82 b9 04 1e 1c 66 c6 81 ....s_Eu.....f..
00b0 - d9 ab fa 6e ac 58 ee 3a-c5 ed da 2f d9 28 18 c3 ...n.X.:.../.(..
00c0 - 27 c1 80 fb 6f bc 78 1b-29 0b 31 ca 7a c9 e2 8c '...o.x.).1.z...
00d0 - fc 0f f7 db 0b 67 87 65-fc d8 e2 da 60 d1 19 81 .....g.e....`...
00e0 - 50 08 d9 0a cc 3d 95 ae-12 43 77 6a 44 cb a4 29 P....=...CwjD..)
00f0 - ce 57 b4 c2 df 1d 3e f7-fe c0 6c 2b c0 33 20 a5 .W....>...l+.3 .
0100 - 89 3a de 3d .:.=
Start Time: 1620376540
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
みたいに OCSP response 返って来るけど
当該のサーバーだと
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status
CONNECTED(00000005)
depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2
verify return:1
depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5
verify return:1
depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp
verify return:1
OCSP response: no response sent
---
Certificate chain
...
みたいに OCSP response が返ってかなったりするので、実は OCSP の実装に問題あって、
http://scrootca2.ocsp.secomtrust.net から上手く拾えてないって可能性も?
あと、-crl_download -crl_check で CRL が上手く拾えないのも気になる。
$ LD_LIBRARY_PATH=~/local/oldopenssl/usr/lib/x86_64-linux-gnu/ openssl s_client -connect www.**************************.jp:https -status -crl_download -crl_check
CONNECTED(00000005)
Error loading CRL from http://repo1.secomtrust.net/sppca/nii/odca3/fullcrlg5.crl
depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2
verify return:1
depth=1 C = JP, O = National Institute of Informatics, CN = NII Open Domain CA - G5
verify return:1
depth=0 C = JP, ST = *********, O = ********************, OU = ********************************************, CN = www.**************************.jp
verify return:1
OCSP response: no response sent
---
Certificate chain
...
なぜだ?
OpenSSL だけど PROXY 不要な環境でこうなるので、PROXY は関係なさそうな雰囲気だろうか?