verifying certificates on different ports produces different results

Question

verifying certificates on different ports produces different results

Closed this issue 6 years ago · 7 comments

Perhaps I am misunderstanding how this is supposed to work but when I use the tls-debug tools like this:

stack exec tls-retrievecertificate -- borker.drbonez.dev 443 --verify

I get a result that verifies properly:

connecting to borker.drbonez.dev on port 443 ...
serial:   351004223923812174096793521756906648378777
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt Authority X3"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "borker.drbonez.dev"})]}
validity: DateTime {dtDate = Date {dateYear = 2019, dateMonth = June, dateDay = 11}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2019, dateMonth = September, dateDay = 9}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}}
### certificate chain trust

However when I connect on a different port:

stack exec tls-retrievecertificate -- borker.drbonez.dev 4422 --verify

I get a complaint about unknown ca's

connecting to borker.drbonez.dev on port 4422 ...
serial:   351004223923812174096793521756906648378777
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt Authority X3"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "borker.drbonez.dev"})]}
validity: DateTime {dtDate = Date {dateYear = 2019, dateMonth = June, dateDay = 11}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2019, dateMonth = September, dateDay = 9}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}}
### certificate chain trust
fail validation:
[UnknownCA]

What baffles me is that everything about those responses seems identical except that in one case it doesn't know the CA and in the other it does. Aren't the CA's the same? Is this a bug?

Answer 1 · 2019-06-19T05:55:14.000Z

Can you add --chain ? Maybe intermediate CAs are missing on the second port.

Answer 2 · 2019-06-19T17:16:48.000Z

This time they show up differently. Still not clear why

443:

###### Certificate 1 ######
serial:   351004223923812174096793521756906648378777
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt Authority X3"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "borker.drbonez.dev"})]}
validity: DateTime {dtDate = Date {dateYear = 2019, dateMonth = June, dateDay = 11}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2019, dateMonth = September, dateDay = 9}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}}
###### Certificate 2 ######
serial:   13298795840390663119752826058995181320
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Digital Signature Trust Co."}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "DST Root CA X3"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt Authority X3"})]}
validity: DateTime {dtDate = Date {dateYear = 2016, dateMonth = March, dateDay = 17}, dtTime = TimeOfDay {todHour = 16h, todMin = 40m, todSec = 46s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2021, dateMonth = March, dateDay = 17}, dtTime = TimeOfDay {todHour = 16h, todMin = 40m, todSec = 46s, todNSec = 0ns}}
### certificate chain trust

4422

###### Certificate 1 ######
serial:   351004223923812174096793521756906648378777
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "Let's Encrypt Authority X3"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "borker.drbonez.dev"})]}
validity: DateTime {dtDate = Date {dateYear = 2019, dateMonth = June, dateDay = 11}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2019, dateMonth = September, dateDay = 9}, dtTime = TimeOfDay {todHour = 15h, todMin = 51m, todSec = 18s, todNSec = 0ns}}
### certificate chain trust
fail validation:
[UnknownCA]

Answer 3 · 2019-06-19T17:18:23.000Z

Can you explain or point me to literature on what you mean by "Intermediate CAs are missing on the second port"? Are certificates bound in some way to a port? Because that would explain this.

Answer 4 · 2019-06-21T05:12:14.000Z

I tried with OpenSSL:

% echo | openssl s_client -connect borker.drbonez.dev:443 -showcerts 2>/dev/null | openssl x509 -noout -text

443 and 4422 return exactly the same certificate.

Answer 5 · 2019-06-22T06:45:30.000Z

Are certificates bound in some way to a port?

Presumably yes, but it all depends what server software this is and how it is configured. If there are 2 ports listening, I don't see why content served should be absolutely identical, including the certificate chain that is retrieved by the TLS client.

What you mean by "Intermediate CAs are missing on the second port"?

Validation of the certificate chain requires the client to have all certificates up until a trusted known entry like DST Root CA X3. Certificates for borker.drbonez.dev and the issuing authority Let's Encrypt Authority X3 must be returned by the server (and in that order).

Answer 6 · 2019-06-22T06:50:25.000Z

Adding openssl x509 -noout -text will display only the first certificate.

Answer 7 · 2019-06-22T20:19:12.000Z

I figured this out. The issue is that the https configuration of the service listening on port 4422 was not configured to show the entire cert chain but just the one at the leaf. This is a user-configuration error, and my misunderstanding of how this works. There is no bug.