download.libsodium.org isn't compatible with GnuTLS
daira opened this issue · 6 comments
daira commented
Unsuccessful connection using curl:
$ curl -v https://download.libsodium.org
* Host download.libsodium.org:443 was resolved.
* IPv6: (none)
* IPv4: 37.59.238.213
* Trying 37.59.238.213:443...
* Connected to download.libsodium.org (37.59.238.213) port 443
* GnuTLS ciphers: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
* found 147 certificates in /etc/ssl/certs/ca-certificates.crt
* found 441 certificates in /etc/ssl/certs
* gnutls_handshake() failed: Illegal parameter
* closing connection #0
curl: (35) gnutls_handshake() failed: Illegal parameter
$ curl -V
curl 8.9.0 (x86_64-pc-linux-gnu) libcurl/8.9.0 GnuTLS/3.8.6 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.2 libssh2/1.11.0 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2024-07-24, security patched: 8.9.0-1
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
The same connection via GnuTLS, which curl is using as its backend by default:
gnutls-cli -V --priority="NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0" -p https download.libsodium.org
Processed 147 CA certificate(s).
Resolving 'download.libsodium.org:https'...
Connecting to '37.59.238.213:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [47]: Illegal parameter
Different parameters but showing that there is more than one problem (the server is returning a certificate for which GnuTLS gets a bogus OCSP response):
$ gnutls-cli -V --priority="SECURE256:-VERS-SSL3.0" -p https download.libsodium.org
Processed 147 CA certificate(s).
Resolving 'download.libsodium.org:https'...
Connecting to '37.59.238.213:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 03046ce184ba0cc77a9efd61a6f34a9aac58
Issuer: CN=R10,O=Let's Encrypt,C=US
Validity:
Not Before: Sat Aug 03 00:34:02 UTC 2024
Not After: Fri Nov 01 00:34:01 UTC 2024
Subject: CN=libsodium.org
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (3072 bits)
Modulus (bits 3072):
00:c0:8f:49:9a:da:29:4d:49:28:f6:bd:fe:e7:b1:a2
d9:b2:7d:02:9e:d1:c1:93:51:ca:20:63:ea:68:c7:cf
e4:54:c0:ab:d9:b1:18:60:85:6d:8a:c6:0b:34:bb:69
15:7b:3c:36:ea:f5:52:25:4e:48:cf:24:4e:1a:1b:00
2b:67:6e:b1:6a:e8:88:73:4a:32:90:af:db:07:21:bd
d4:5a:cc:a8:a7:70:2a:88:66:8c:d8:48:d7:d6:a5:80
45:d3:35:11:64:36:9c:6e:bf:d9:fd:e0:5b:d7:78:7c
f7:d6:10:65:2d:cd:ac:3d:a8:a9:b4:31:0a:dd:04:bf
92:d8:29:07:25:3f:d2:9e:b5:e4:c7:6a:d6:4e:79:a9
7e:23:23:ae:e4:9a:22:bb:85:7e:f9:e3:bd:07:9e:a9
bf:5e:c5:d1:a1:9c:da:97:c9:1c:7e:c3:7f:ab:56:31
e0:fa:20:1e:fe:61:66:76:f7:1f:06:10:ef:1b:63:99
f8:76:e7:6a:9b:ec:f9:f3:4b:ed:fb:6c:ee:e8:83:7f
f9:1c:f5:04:4a:44:61:06:88:a1:51:90:41:0b:ca:58
fd:65:c7:20:22:89:ca:c0:19:38:9c:0b:c2:f2:fd:d3
ed:9e:77:97:52:dd:1d:61:96:dd:dc:aa:28:4f:b8:94
49:b5:2b:60:c6:35:ee:33:d2:96:3e:dd:e2:14:88:2c
81:6b:c3:24:9c:a8:7b:2b:fd:30:02:88:ee:6b:4b:e8
b8:3b:d6:79:fc:8f:4d:b3:b1:4b:71:04:77:81:fe:44
8d:22:92:6b:f0:60:0a:ab:14:a1:d0:8c:a8:38:95:d9
a0:95:cd:2c:9b:e1:99:b7:dc:5a:2f:e4:4d:f2:2f:b4
58:4b:25:00:a2:89:76:82:1c:36:20:ab:b7:94:e6:86
a2:c2:bc:a0:c0:bc:b6:e9:4f:18:37:a8:89:fe:1e:23
44:6a:2d:ca:01:e9:eb:ca:95:8e:88:ef:52:48:bb:10
9b
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (critical):
Digital signature.
Key encipherment.
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
3b42cf4817200c60a31c9c5c1c729e9e2eaf1603
Authority Key Identifier (not critical):
bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://r10.o.lencr.org
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://r10.i.lencr.org/
Subject Alternative Name (not critical):
DNSname: docs.libsodium.org
DNSname: download.libsodium.org
DNSname: libsodium.org
DNSname: www.libsodium.org
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
CT Precertificate SCTs (not critical):
Signed Certificate Timestamp 1:
Version: 1
Log ID: 48b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d88473
Time: Sat, Aug 03 01:32:32 UTC 2024
Extensions: none
Signature algorithm: ECDSA-SHA256
Signature: 30460221008c75c1050c175705b95ed3de1e4116799840f8298ee1505093d2814ed04c8589022100efaab6ca3064153e9f489c9b6263da45126fa5e63ca52ad9be25f7586926833d
Signed Certificate Timestamp 2:
Version: 1
Log ID: 3f174b4fd7224758941d651c84be0d12ed90377f1f856aebc1bf2885ecf8646e
Time: Sat, Aug 03 01:32:32 UTC 2024
Extensions: none
Signature algorithm: ECDSA-SHA256
Signature: 3045022100c813f4d3823d7f621dd236372cad39f564ccf27f147eed4f49d4c38f5635259b022047947996dc1972c20bf574ea38fcc9716cb0a7b7f67e66d30498a61d799853d8
Signature Algorithm: RSA-SHA256
Signature:
4d:96:15:36:4c:ea:1d:4b:42:e1:29:95:9f:8d:6f:f8
a7:91:5b:c0:e3:94:6f:b8:ad:72:9f:a3:70:b1:52:64
5e:dd:ce:63:e3:c2:12:4e:4a:7d:7f:9c:60:13:25:3e
6d:6b:a2:dd:f5:26:ae:1f:92:7b:03:d7:02:3b:bc:90
96:25:3f:86:25:88:da:fb:ec:67:4d:da:28:07:7d:b9
cc:db:c2:04:aa:07:50:86:b6:42:6f:ef:a0:d5:0f:8f
55:2d:96:de:6a:8d:ed:3d:ff:7f:65:90:41:55:f0:25
c5:be:f6:c8:5f:b8:9c:e4:33:68:74:2a:eb:b2:27:c8
d9:1e:fd:be:7c:0a:3b:42:33:3a:00:ab:93:37:31:16
8a:36:f3:e7:22:47:3e:42:53:3b:0a:bb:4a:2a:c0:b6
c2:cf:03:03:1d:12:b5:fd:f3:a0:c7:db:18:9e:96:2d
0f:e8:5a:0a:fe:23:eb:c9:41:63:bd:e7:ec:3e:eb:8a
00:ee:ae:bc:aa:f3:6a:38:fd:1b:75:b0:b3:e5:6f:8f
c0:f6:ea:59:8b:70:f7:26:7e:d7:4e:f2:db:ec:be:e2
72:68:cc:64:ef:36:e6:1b:94:46:17:86:c0:83:fe:64
2f:cc:46:40:e0:99:a2:73:2e:7e:ba:51:60:69:e7:d4
Other Information:
Fingerprint:
sha1:18a877b3af3e876d9ab6a6c1fca3af3f2437b5e3
sha256:d582b06a16260568251e8b3717b08d388f169688697ed6a056684196074b8017
Public Key ID:
sha1:c0fcff3fe6fc7a8ecee9914034d3a774a4458a12
sha256:b7a348f201106f6a0c1d07e7a61cf5bd49bb17f8436971f106a42327239e4d02
Public Key PIN:
pin-sha256:t6NI8gEQb2oMHQfnphz1vUm7F/hDaXHxBqQjJyOeTQI=
-----BEGIN CERTIFICATE-----
MIIFqjCCBJKgAwIBAgISAwRs4YS6DMd6nv1hpvNKmqxYMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwODAzMDAzNDAyWhcNMjQxMTAxMDAzNDAxWjAYMRYwFAYDVQQD
Ew1saWJzb2RpdW0ub3JnMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
wI9JmtopTUko9r3+57Gi2bJ9Ap7RwZNRyiBj6mjHz+RUwKvZsRhghW2Kxgs0u2kV
ezw26vVSJU5IzyROGhsAK2dusWroiHNKMpCv2wchvdRazKincCqIZozYSNfWpYBF
0zURZDacbr/Z/eBb13h899YQZS3NrD2oqbQxCt0Ev5LYKQclP9KeteTHatZOeal+
IyOu5Joiu4V++eO9B56pv17F0aGc2pfJHH7Df6tWMeD6IB7+YWZ29x8GEO8bY5n4
dudqm+z580vt+2zu6IN/+Rz1BEpEYQaIoVGQQQvKWP1lxyAiicrAGTicC8Ly/dPt
nneXUt0dYZbd3KooT7iUSbUrYMY17jPSlj7d4hSILIFrwyScqHsr/TACiO5rS+i4
O9Z5/I9Ns7FLcQR3gf5EjSKSa/BgCqsUodCMqDiV2aCVzSyb4Zm33Fov5E3yL7RY
SyUAool2ghw2IKu3lOaGosK8oMC8tulPGDeoif4eI0RqLcoB6evKlY6I71JIuxCb
AgMBAAGjggJRMIICTTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDtCz0gXIAxgoxyc
XBxynp4urxYDMB8GA1UdIwQYMBaAFLu8w0el5LypxsOkcgwQjaI14cjoMFcGCCsG
AQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDovL3IxMC5vLmxlbmNyLm9yZzAj
BggrBgEFBQcwAoYXaHR0cDovL3IxMC5pLmxlbmNyLm9yZy8wVwYDVR0RBFAwToIS
ZG9jcy5saWJzb2RpdW0ub3JnghZkb3dubG9hZC5saWJzb2RpdW0ub3Jngg1saWJz
b2RpdW0ub3JnghF3d3cubGlic29kaXVtLm9yZzATBgNVHSAEDDAKMAgGBmeBDAEC
ATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AEiw42vapkc0D+VqAvqdMOscUgHL
Vt0sgdm7v6s52IRzAAABkRXd8N0AAAQDAEgwRgIhAIx1wQUMF1cFuV7T3h5BFnmY
QPgpjuFQUJPSgU7QTIWJAiEA76q2yjBkFT6fSJybYmPaRRJvpeY8pSrZviX3WGkm
gz0AdgA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAZEV3fDRAAAE
AwBHMEUCIQDIE/TTgj1/Yh3SNjcsrTn1ZMzyfxR+7U9J1MOPVjUlmwIgR5R5ltwZ
csIL9XTqOPzJcWywp7f2fmbTBJimHXmYU9gwDQYJKoZIhvcNAQELBQADggEBAE2W
FTZM6h1LQuEplZ+Nb/inkVvA45RvuK1yn6NwsVJkXt3OY+PCEk5KfX+cYBMlPm1r
ot31Jq4fknsD1wI7vJCWJT+GJYja++xnTdooB325zNvCBKoHUIa2Qm/voNUPj1Ut
lt5qje09/39lkEFV8CXFvvbIX7ic5DNodCrrsifI2R79vnwKO0IzOgCrkzcxFoo2
8+ciRz5CUzsKu0oqwLbCzwMDHRK1/fOgx9sYnpYtD+haCv4j68lBY73n7D7rigDu
rryq82o4/Rt1sLPlb4/A9upZi3D3Jn7XTvLb7L7icmjMZO825huURheGwIP+ZC/M
RkDgmaJzLn66UWBp59Q=
-----END CERTIFICATE-----
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 4ba85293f79a2fa273064ba8048d75d0
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Validity:
Not Before: Wed Mar 13 00:00:00 UTC 2024
Not After: Fri Mar 12 23:59:59 UTC 2027
Subject: CN=R10,O=Let's Encrypt,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:cf:57:e5:e6:c4:54:12:ed:b4:47:fe:c9:27:58:76
46:50:28:8c:1d:3e:88:df:05:9d:d5:b5:18:29:bd:dd
b5:5a:bf:fa:f6:ce:a3:be:af:00:21:4b:62:5a:5a:3c
01:2f:c5:58:03:f6:89:ff:8e:11:43:eb:c1:b5:e0:14
07:96:8f:6f:1f:d7:e7:ba:81:39:09:75:65:b7:c2:af
18:5b:37:26:28:e7:a3:f4:07:2b:6d:1a:ff:ab:58:bc
95:ae:40:ff:e9:cb:57:c4:b5:5b:7f:78:0d:18:61:bc
17:e7:54:c6:bb:49:91:cd:6e:18:d1:80:85:ee:a6:65
36:bc:74:ea:bc:50:4c:ea:fc:21:f3:38:16:93:94:ba
b0:d3:6b:38:06:cd:16:12:7a:ca:52:75:c8:ad:76:b2
c2:9c:5d:98:45:5c:6f:61:7b:c6:2d:ee:3c:13:52:86
01:d9:57:e6:38:1c:df:8d:b5:1f:92:91:9a:e7:4a:1c
cc:45:a8:72:55:f0:b0:e6:a3:07:ec:fd:a7:1b:66:9e
3f:48:8b:71:84:71:58:c9:3a:fa:ef:5e:f2:5b:44:2b
3c:74:e7:8f:b2:47:c1:07:6a:cd:9a:b7:0d:96:f7:12
81:26:51:54:0a:ec:61:f6:f7:f5:e2:f2:8a:c8:95:0d
8d
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (critical):
Digital signature.
Certificate signing.
CRL signing.
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Path Length Constraint: 0
Subject Key Identifier (not critical):
bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8
Authority Key Identifier (not critical):
79b459e67bb6e5e40173800888c81a58f6e99b6e
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://x1.i.lencr.org/
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
CRL Distribution points (not critical):
URI: http://x1.c.lencr.org/
Signature Algorithm: RSA-SHA256
Signature:
92:b1:e7:41:37:eb:79:9d:81:e6:cd:e2:25:e1:3a:20
e9:90:44:95:a3:81:5c:cf:c3:5d:fd:bd:a0:70:d5:b1
96:28:22:0b:d2:f2:28:cf:0c:e7:d4:e6:43:8c:24:22
1d:c1:42:92:d1:09:af:9f:4b:f4:c8:70:4f:20:16:b1
5a:dd:01:f6:1f:f8:1f:61:6b:14:27:b0:72:8d:63:ae
ee:e2:ce:4b:cf:37:dd:bb:a3:d4:cd:e7:ad:50:ad:bd
bf:e3:ec:3e:62:36:70:99:31:a7:e8:8d:dd:ea:62:e2
12:ae:f5:9c:d4:3d:2c:0c:aa:d0:9c:79:be:ea:3d:5c
44:6e:96:31:63:5a:7d:d6:7e:4f:24:a0:4b:05:7f:5e
6f:d2:d4:ea:5f:33:4b:13:d6:57:b6:ca:de:51:b8:5d
a3:09:82:74:fd:c7:78:9e:b3:b9:ac:16:da:4a:2b:96
c3:b6:8b:62:8f:f9:74:19:a2:9e:03:de:e9:6f:9b:b0
0f:d2:a0:5a:f6:85:5c:c2:04:b7:c8:d5:4e:32:c4:bf
04:5d:bc:29:f6:f7:81:8f:0c:5d:3c:53:c9:40:90:8b
fb:b6:08:65:b9:a4:21:d5:09:e5:13:84:84:37:82:ce
10:28:fc:76:c2:06:25:7a:46:52:4d:da:53:72:a4:27
3f:62:70:ac:be:69:48:00:fb:67:0f:db:5b:a1:e8:d7
03:21:2d:d7:c9:f6:99:42:39:83:43:df:77:0a:12:08
f1:25:d6:ba:94:19:54:18:88:a5:c5:8e:e1:1a:99:93
79:6b:ec:1c:f9:31:40:b0:cc:32:00:df:9f:5e:e7:b4
92:ab:90:82:91:8d:0d:e0:1e:95:ba:59:3b:2e:4b:5f
c2:b7:46:35:52:39:06:c0:bd:aa:ac:52:c1:22:a0:44
97:99:f7:0c:a0:21:a7:a1:6c:71:47:16:17:01:68:c0
ca:a6:26:65:04:7c:b3:ae:c9:e7:94:55:c2:6f:9b:3c
1c:a9:f9:2e:c5:20:1a:f0:76:e0:be:ec:18:d6:4f:d8
25:fb:76:11:e8:bf:e6:21:0f:e8:e8:cc:b5:b6:a7:d5
b8:f7:9f:41:cf:61:22:46:6a:83:b6:68:97:2e:7c:ea
4e:95:db:23:eb:2e:c8:2b:28:84:a4:60:e9:49:f4:44
2e:3b:f9:ca:62:57:01:e2:5d:90:16:f9:c9:fc:7a:23
48:8e:a6:d5:81:72:f1:28:fa:5d:ce:fb:ed:4e:73:8f
94:2e:d2:41:94:98:99:db:a7:af:70:5f:f5:be:fb:02
20:bf:66:27:6c:b4:ad:fa:75:12:0b:2b:3e:ce:03:9e
Other Information:
Fingerprint:
sha1:00abefd055f9a9c784ffdeabd1dcdd8fed741436
sha256:9d7c3f1aa6ad2b2ec0d5cf1e246f8d9ae6cbc9fd0755ad37bb974b1f2fb603f3
Public Key ID:
sha1:ab6299e9d0d0258521beed026c01c0c40f476fc9
sha256:2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
Public Key PIN:
pin-sha256:K7rZOrXHknnsEhUH8nLL4MZkejquUuIvOIr6tCa0rbo=
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
- Certificate[2] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 00d3b17226342332dcf40528512aec9c6a
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Validity:
Not Before: Thu Oct 06 15:43:55 UTC 2016
Not After: Wed Oct 06 15:43:55 UTC 2021
Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:68
63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:92:2f
b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:2a:c4:68
87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:79:81:60:1f
d7:91:9a:9f:f3:d0:78:67:71:c8:69:0e:95:91:cf:fe
e6:99:e9:60:3c:48:cc:7e:ca:4d:77:12:24:9d:47:1b
5a:eb:b9:ec:1e:37:00:1c:9c:ac:7b:a7:05:ea:ce:4a
eb:bd:41:e5:36:98:b9:cb:fd:6d:3c:96:68:df:23:2a
42:90:0c:86:74:67:c8:7f:a5:9a:b8:52:61:14:13:3f
65:e9:82:87:cb:db:fa:0e:56:f6:86:89:f3:85:3f:97
86:af:b0:dc:1a:ef:6b:0d:95:16:7d:c4:2b:a0:65:b2
99:04:36:75:80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96
4f:2a:20:25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95
16:ba:a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13
3d:2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d
0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:c3
93
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (critical):
Digital signature.
Certificate signing.
CRL signing.
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Path Length Constraint: 0
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
1.3.6.1.4.1.44947.1.1.1
URI: http://cps.root-x1.letsencrypt.org
Subject Key Identifier (not critical):
a84a6a63047dddbae6d139b7a64565eff3a8eca1
CRL Distribution points (not critical):
URI: http://crl.root-x1.letsencrypt.org
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.root-x1.letsencrypt.org/
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://cert.root-x1.letsencrypt.org/
Authority Key Identifier (not critical):
79b459e67bb6e5e40173800888c81a58f6e99b6e
Signature Algorithm: RSA-SHA256
Signature:
19:cf:75:20:34:2d:3a:a6:45:ff:d0:d5:e6:8c:da:32
e8:9c:6e:1b:41:d1:27:a8:e2:50:f2:70:aa:c4:e7:93
46:b4:e8:10:ab:70:4f:ef:b7:ea:04:d2:94:11:b1:03
fe:5d:ba:df:36:8c:94:36:8f:13:7c:44:8f:0b:f5:01
57:ad:68:b8:c5:79:c0:d8:4a:80:d7:4c:a3:1e:24:7a
1f:d7:23:e8:c1:62:3a:76:f9:22:7d:5e:5a:c4:4c:50
cd:af:dd:ef:6d:36:c0:80:80:1b:a4:3c:70:20:d6:54
21:d3:ba:ef:14:a9:bf:07:3f:41:0a:36:b1:a2:b0:0b
20:d5:1f:67:d0:c3:eb:88:f6:8a:02:c8:c6:57:b6:0c
fc:56:f1:d2:3f:17:69:68:1c:c8:d7:66:3a:86:f1:19
2a:65:47:68:c6:d2:03:e7:ef:74:16:0b:06:21:f9:0c
a6:a8:11:4b:4e:5f:e3:33:db:08:41:ea:09:79:75:78
ee:47:c8:42:d3:81:c5:65:2d:75:d0:0e:00:16:9d:1c
ee:b7:58:45:25:e7:33:63:5b:63:41:09:e8:e9:fe:ac
fa:73:32:74:b3:76:e9:6b:94:e2:cd:d4:62:f3:ae:3a
c5:31:46:52:6e:ed:34:91:1e:a0:c2:de:54:84:e5:78
20:56:4c:dd:68:f9:2e:28:64:1b:1a:99:f2:fb:4d:7f
e3:b8:5f:5d:73:41:ec:79:ed:58:d6:7a:37:65:70:a7
b1:ba:39:f6:3e:61:0a:d9:c0:86:90:9a:1a:c8:a8:96
6e:8a:0b:2b:6d:ed:d6:fa:07:67:e7:29:04:f7:e2:b2
d1:58:15:52:c7:f1:a3:9d:a6:c0:56:2c:d4:92:98:d8
f1:83:b9:6c:7c:33:a0:e5:4b:aa:90:92:f1:da:45:4a
34:14:c7:7c:4e:c4:a5:6c:5d:3f:bf:de:b9:a8:61:4a
85:20:de:42:83:29:62:7c:1c:99:08:a5:46:1f:f4:6b
22:d3:86:51:cb:37:cd:60:4a:42:63:56:b3:c8:d1:8f
31:09:53:c1:e2:dc:1b:d4:f1:54:77:67:cf:33:7b:00
d6:d2:7c:de:c6:79:bf:cb:e0:16:fd:b2:a1:f2:91:3c
1d:2d:e8:9c:d4:03:cd:66:4a:a3:37:93:19:79:7b:e2
19:c2:16:00:c8:ed:0e:4e:0d:ff:7e:cf:07:a8:64:cd
29:df:41:aa:85:30:49:10:73:a7:4e:89:32:0e:5b:ad
40:86:c1:b0:94:0c:8d:26:c5:a7:49:dc:1c:f8:5b:14
7a:7f:23:69:04:ad:b2:02:29:d6:12:c8:a4:c6:a1:2d
Other Information:
Fingerprint:
sha1:1b23675354fcad90119d88075015ea17add527d8
sha256:731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568
Public Key ID:
sha1:da9b52a8771169d31318a567e1dc9b1f44b5b35c
sha256:60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
Public Key PIN:
pin-sha256:YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
-----END CERTIFICATE-----
- Certificate[3] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 0a0141420000015385736a0b85eca708
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Validity:
Not Before: Thu Mar 17 16:40:46 UTC 2016
Not After: Wed Mar 17 16:40:46 UTC 2021
Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:68
63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:92:2f
b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:2a:c4:68
87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:79:81:60:1f
d7:91:9a:9f:f3:d0:78:67:71:c8:69:0e:95:91:cf:fe
e6:99:e9:60:3c:48:cc:7e:ca:4d:77:12:24:9d:47:1b
5a:eb:b9:ec:1e:37:00:1c:9c:ac:7b:a7:05:ea:ce:4a
eb:bd:41:e5:36:98:b9:cb:fd:6d:3c:96:68:df:23:2a
42:90:0c:86:74:67:c8:7f:a5:9a:b8:52:61:14:13:3f
65:e9:82:87:cb:db:fa:0e:56:f6:86:89:f3:85:3f:97
86:af:b0:dc:1a:ef:6b:0d:95:16:7d:c4:2b:a0:65:b2
99:04:36:75:80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96
4f:2a:20:25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95
16:ba:a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13
3d:2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d
0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:c3
93
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Path Length Constraint: 0
Key Usage (critical):
Digital signature.
Certificate signing.
CRL signing.
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://isrg.trustid.ocsp.identrust.com
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://apps.identrust.com/roots/dstrootcax3.p7c
Authority Key Identifier (not critical):
c4a7b1a47b2c71fadbe14b9075ffc41560858910
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
1.3.6.1.4.1.44947.1.1.1
URI: http://cps.root-x1.letsencrypt.org
CRL Distribution points (not critical):
URI: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Subject Key Identifier (not critical):
a84a6a63047dddbae6d139b7a64565eff3a8eca1
Signature Algorithm: RSA-SHA256
Signature:
dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76
56:b9:70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f
4a:12:29:37:24:74:51:1c:62:68:b8:cd:95:70:67:e5
f7:a4:bc:4e:28:51:cd:9b:e8:ae:87:9d:ea:d8:ba:5a
a1:01:9a:dc:f0:dd:6a:1d:6a:d8:3e:57:23:9e:a6:1e
04:62:9a:ff:d7:05:ca:b7:1f:3f:c0:0a:48:bc:94:b0
b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:e9:e6:bb:dc
c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:2b:cb
28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33
fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b
5d:0a:5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9
a3:91:6f:25:1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a
87:b9:a3:7a:6d:18:fa:25:a5:91:87:15:e0:f2:16:2f
58:b0:06:2f:2c:68:26:c6:4b:98:cd:da:9f:0c:f9:7f
90:ed:43:4a:12:44:4e:6f:73:7a:28:ea:a4:aa:6e:7b
4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:34:5b:b4:42
Other Information:
Fingerprint:
sha1:e6a3b45b062d509b3382282d196efe97d5956ccb
sha256:25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
Public Key ID:
sha1:da9b52a8771169d31318a567e1dc9b1f44b5b35c
sha256:60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
Public Key PIN:
pin-sha256:YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
|<1>| Got OCSP response with an unrelated certificate.
- Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. The received OCSP status response is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
The minimum options that succeed:
$ gnutls-cli -V --priority="SECURE256:+SIGN-ALL" -p https download.libsodium.org
Processed 147 CA certificate(s).
Resolving 'download.libsodium.org:https'...
Connecting to '37.59.238.213:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 0372dd4965141f49bf8083ae4560f396e9a7
Issuer: CN=E6,O=Let's Encrypt,C=US
Validity:
Not Before: Sat Aug 03 00:34:19 UTC 2024
Not After: Fri Nov 01 00:34:18 UTC 2024
Subject: CN=libsodium.org
Subject Public Key Algorithm: EC/ECDSA
Algorithm Security Level: High (256 bits)
Curve: SECP256R1
X:
00:a3:8a:0f:e4:b6:fd:8c:36:af:17:c7:2e:77:75:5e
56:57:75:3a:ab:3b:15:b7:4a:bd:11:3a:b9:30:dc:89
7b
Y:
7d:2b:0a:50:28:49:e5:32:b7:f9:58:2b:96:89:7a:bc
b0:61:83:c7:9e:1b:86:83:a1:b6:94:f7:90:ad:c3:6e
Extensions:
Key Usage (critical):
Digital signature.
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
34019f39dc62ce765efc9a400cee9afc223b8001
Authority Key Identifier (not critical):
9327469803a951688e98d6c44248db23bf5894d2
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://e6.o.lencr.org
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://e6.i.lencr.org/
Subject Alternative Name (not critical):
DNSname: docs.libsodium.org
DNSname: download.libsodium.org
DNSname: libsodium.org
DNSname: www.libsodium.org
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
CT Precertificate SCTs (not critical):
Signed Certificate Timestamp 1:
Version: 1
Log ID: 3f174b4fd7224758941d651c84be0d12ed90377f1f856aebc1bf2885ecf8646e
Time: Sat, Aug 03 01:32:50 UTC 2024
Extensions: none
Signature algorithm: ECDSA-SHA256
Signature: 3045022006f48b939cfb6ddbcb6ed1082c2ebe3aae5de242a408e1eb7c2d0529aa8a1376022100b6e6bb9fe812d14dc3495a9ce5fb366dbe3c6935768c2e3ffa8208d119068f66
Signed Certificate Timestamp 2:
Version: 1
Log ID: dfe156ebaa05afb59c0f86718da8c0324eae56d96ea7f5a56a01d1c13bbe525c
Time: Sat, Aug 03 01:32:50 UTC 2024
Extensions: none
Signature algorithm: ECDSA-SHA256
Signature: 3044022051f27a2307d1710f4940ea3021dcb7c7113a1308744834da2e7378539b713ca302205227a8589ec822b055c359ae4d24f4873416e57811dbc1876844c86d72899481
Signature Algorithm: ECDSA-SHA384
Signature:
30:65:02:30:08:24:21:06:8b:33:ec:f9:9e:3e:18:d6
4f:6b:1d:d1:79:b8:b4:9d:48:d3:cb:21:08:b5:5c:64
73:4a:d6:3f:67:44:93:53:f7:65:33:e6:86:e8:2f:87
64:1b:a7:c7:02:31:00:c2:cd:df:e9:2d:0e:8b:ce:9c
2a:57:8b:e4:07:e7:05:e1:c1:f8:0b:9f:5f:f4:9c:fa
60:2a:f1:12:0c:dd:cb:ea:b9:00:e8:01:02:c3:63:a2
38:59:6b:92:f0:5d:7a
Other Information:
Fingerprint:
sha1:c2ff6a41857a84d07e24ec60871489a8d1ebbe5d
sha256:f232b9bbfee8b5833b70bb0ae60947c1e57a8d0d67bee4e54bc337cc5e8880d2
Public Key ID:
sha1:7ab7b7406fd122b6de759159fb77beb996bd21c3
sha256:5bb9d6dc3c1b7779166d796262ff1faa1a4e5ae22637a992d9b55ec6ff97cf4c
Public Key PIN:
pin-sha256:W7nW3Dwbd3kWbXliYv8fqhpOWuImN6mS2bVexv+Xz0w=
-----BEGIN CERTIFICATE-----
MIIDuTCCAz+gAwIBAgISA3LdSWUUH0m/gIOuRWDzlumnMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA4MDMwMDM0MTlaFw0yNDExMDEwMDM0MThaMBgxFjAUBgNVBAMTDWxp
YnNvZGl1bS5vcmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjig/ktv2MNq8X
xy53dV5WV3U6qzsVt0q9ETq5MNyJe30rClAoSeUyt/lYK5aJerywYYPHnhuGg6G2
lPeQrcNuo4ICTTCCAkkwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ0AZ853GLOdl78
mkAM7pr8IjuAATAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr
BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi
BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzBXBgNVHREEUDBOghJk
b2NzLmxpYnNvZGl1bS5vcmeCFmRvd25sb2FkLmxpYnNvZGl1bS5vcmeCDWxpYnNv
ZGl1bS5vcmeCEXd3dy5saWJzb2RpdW0ub3JnMBMGA1UdIAQMMAowCAYGZ4EMAQIB
MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAPxdLT9ciR1iUHWUchL4NEu2QN38f
hWrrwb8ohez4ZG4AAAGRFd42AQAABAMARzBFAiAG9IuTnPtt28tu0QgsLr46rl3i
QqQI4et8LQUpqooTdgIhALbmu5/oEtFNw0lanOX7Nm2+PGk1dowuP/qCCNEZBo9m
AHUA3+FW66oFr7WcD4ZxjajAMk6uVtlup/WlagHRwTu+UlwAAAGRFd421gAABAMA
RjBEAiBR8nojB9FxD0lA6jAh3LfHEToTCHRINNouc3hTm3E8owIgUieoWJ7IIrBV
w1muTST0hzQW5XgR28GHaETIbXKJlIEwCgYIKoZIzj0EAwMDaAAwZQIwCCQhBosz
7PmePhjWT2sd0Xm4tJ1I08shCLVcZHNK1j9nRJNT92Uz5oboL4dkG6fHAjEAws3f
6S0Oi86cKleL5AfnBeHB+AufX/Sc+mAq8RIM3cvquQDoAQLDY6I4WWuS8F16
-----END CERTIFICATE-----
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 00b0573e9173972770dbb487cb3a452b38
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Validity:
Not Before: Wed Mar 13 00:00:00 UTC 2024
Not After: Fri Mar 12 23:59:59 UTC 2027
Subject: CN=E6,O=Let's Encrypt,C=US
Subject Public Key Algorithm: EC/ECDSA
Algorithm Security Level: Ultra (384 bits)
Curve: SECP384R1
X:
00:d9:f1:9e:46:87:f8:21:71:60:a8:26:eb:a3:fa:b9
ea:da:1d:b9:12:a7:d4:26:d9:51:14:b1:61:7c:75:96
bf:22:0b:39:1f:d5:be:d1:0a:46:aa:2d:3c:4a:09:84
2e
Y:
00:be:40:95:55:e9:19:40:37:66:75:ed:32:4e:77:04
49:f8:70:7b:c3:18:e7:ce:f7:71:10:fe:ac:74:d8:00
d4:ed:6d:1c:73:16:33:10:9c:3a:b2:ea:6c:62:f4:bd
b8
Extensions:
Key Usage (critical):
Digital signature.
Certificate signing.
CRL signing.
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Path Length Constraint: 0
Subject Key Identifier (not critical):
9327469803a951688e98d6c44248db23bf5894d2
Authority Key Identifier (not critical):
79b459e67bb6e5e40173800888c81a58f6e99b6e
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://x1.i.lencr.org/
Certificate Policies (not critical):
2.23.140.1.2.1 (CA/B Domain Validated)
CRL Distribution points (not critical):
URI: http://x1.c.lencr.org/
Signature Algorithm: RSA-SHA256
Signature:
7d:8b:7b:4a:20:35:b2:05:86:08:8a:6e:9e:4e:3a:af
80:04:c4:84:5c:33:19:0a:81:48:4d:96:ba:ef:d4:1d
b5:84:e6:97:37:fe:66:88:4f:8b:39:36:eb:72:65:3f
33:dc:af:0b:a3:15:63:bd:f4:18:d1:68:2f:c2:21:27
c8:fc:be:b3:8b:a4:c6:36:d8:e3:fa:6d:a4:b5:93:d6
0c:ae:d0:d3:97:02:47:a0:66:f2:d3:84:e1:4d:47:81
0e:4b:12:f5:18:ae:1e:f8:9c:66:a0:5e:75:07:48:17
ae:69:66:e8:69:78:37:06:05:c2:e2:61:ab:10:af:f1
0e:e6:0c:71:b4:bc:93:9a:0b:07:48:e5:52:05:c1:4e
9f:d9:60:bf:b2:c4:08:fa:bd:8b:b9:9f:1f:79:a9:c6
0a:d1:29:2c:47:a4:ea:19:d0:a5:cc:70:1f:a1:1e:eb
e5:92:51:e7:b6:f7:08:d2:63:0c:43:49:a1:62:3e:aa
b4:c1:52:b6:41:75:46:90:86:dc:83:dd:23:0a:55:09
0a:ae:f0:65:7b:b3:cb:9b:92:74:73:b3:ed:c2:fc:19
b5:f5:11:4e:a2:23:e9:0e:4c:2f:c8:d7:ef:99:0d:78
5e:4c:aa:a8:a2:b9:a1:9f:33:84:3d:f6:90:54:50:93
16:bc:b9:94:ae:87:86:93:22:61:71:92:7b:b7:f7:06
81:c4:84:57:13:88:ca:c6:50:26:41:ce:10:8c:56:68
ab:52:a6:42:a4:20:d0:9f:f5:24:5f:11:94:5b:c9:6a
cd:55:72:32:ef:62:5b:d4:07:6b:7a:9e:93:ba:a1:08
c1:de:5f:8f:35:fd:03:a5:01:fb:89:4c:77:5b:3e:40
8d:00:a2:e8:bd:b9:16:3c:84:d3:aa:ba:05:9f:d0:96
6b:58:76:5f:fc:65:86:a8:e1:24:6a:3c:4b:3f:e9:c0
22:17:e4:1f:e7:38:36:52:46:96:b4:3a:61:97:52:ca
32:e4:cd:2e:8b:6f:b1:7f:7d:1c:fe:bd:57:67:da:37
27:a0:a1:d4:34:2f:24:c0:a6:bf:ef:4f:4d:58:3c:4e
3a:bc:db:03:2e:02:be:e1:c2:fa:4e:bc:c2:fd:ae:16
72:61:79:49:12:7d:df:cc:eb:bf:f7:6e:24:72:d7:40
89:2e:e6:fd:3e:13:03:b2:e7:d1:dd:9b:43:d3:fc:4a
ff:f3:87:43:57:40:92:8d:d4:7f:d9:7b:99:33:79:29
ca:c4:8a:2e:00:f5:70:a8:83:03:e2:11:82:e3:83:0b
17:ce:f5:cc:98:22:0e:3a:bf:d9:85:98:1b:f2:1f:4e
Other Information:
Fingerprint:
sha1:c94dc4831a901a9fec0fb49b71bd49b5aad4fad0
sha256:76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85
Public Key ID:
sha1:236c5fb97244d6509d488c2e9b83e40ed9e48459
sha256:d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
Public Key PIN:
pin-sha256:0Bbh/jEZSKymTy3kTOhsmlHKBB32EDu1KojrP3YfV9c=
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP384R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
- Session ID: 38:A7:D6:72:0B:3F:1F:A6:90:FE:00:21:93:46:5D:C9:31:8C:EF:34:76:42:DD:BD:6A:6D:3F:FF:71:FA:2E:D2
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.3
- Server Signature: ECDSA-SECP256R1-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Options: OCSP status request,
- Channel bindings
- 'tls-unique': not available
- 'tls-server-end-point': f581a660d72b8967c041f27b54a2f28ffb230a2058ff4d7389acd9da9463e7f2676e33e71a39afa0a95316d92e95f523
- 'tls-exporter': 1488c4a834f529d414fae640e4a5d4fb5e09d1d670b2f6acc036e1bb0c92c9e3
- Handshake was completed
OCSP Response Information:
Response Status: Successful
Response Type: Basic OCSP Response
Version: 1
Responder ID: CN=E6,O=Let's Encrypt,C=US
Produced At: Mon Aug 05 17:02:00 UTC 2024
Responses:
Certificate ID:
Hash Algorithm: SHA1
Issuer Name Hash: d47a388041e8e98d07387cecf6b6d8f20fa56431
Issuer Key Hash: 0dc5ccfd9bee1405a14c3082a53e5e8ac35809d2
Serial Number: 0372dd4965141f49bf8083ae4560f396e9a7
Certificate Status: good
This Update: Mon Aug 05 17:02:00 UTC 2024
Next Update: Mon Aug 12 17:01:58 UTC 2024
Extensions:
Signature Algorithm: ECDSA-SHA384
Signature:
30:64:02:30:1b:9d:18:2e:b5:41:1c:94:00:a3:cb:a6
ec:7b:c8:c6:db:f9:1a:0e:8f:c3:eb:de:e5:69:a0:44
89:1d:2f:a7:51:b1:29:26:89:1d:de:28:99:57:90:50
e6:46:40:df:02:30:6e:0b:73:00:b9:b8:a0:4d:e7:86
08:d7:51:bd:74:03:6e:a0:60:36:40:00:6f:fd:e6:a3
d3:e0:82:28:b8:05:7d:7a:9d:f0:44:36:c3:1c:78:1a
bb:8c:22:20:ac:eb
- Simple Client Mode:
- Peer has closed the GnuTLS connection
GnuTLS version:
$ gnutls-cli --version
gnutls-cli 3.8.6
Copyright (C) 2000-2023 Free Software Foundation, and others
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>
Please send bug reports to: <bugs@gnutls.org>
daira commented
Note the OSCP response using SHA-1:
Responses:
Certificate ID:
Hash Algorithm: SHA1
Issuer Name Hash: d47a388041e8e98d07387cecf6b6d8f20fa56431
Issuer Key Hash: 0dc5ccfd9bee1405a14c3082a53e5e8ac35809d2
Serial Number: 0372dd4965141f49bf8083ae4560f396e9a7
Certificate Status: good
This Update: Mon Aug 05 17:02:00 UTC 2024
Next Update: Mon Aug 12 17:01:58 UTC 2024
letsencrypt/boulder#5523 (comment) says that "the purpose of this hash is non-cryptographic", referring to RFC 5019, but I'm not sure what GnuTLS is enforcing here.
On the other hand, that may be old information. The current Mozilla Root Store Policy says:
Effective July 1, 2023, CAs SHALL NOT sign SHA-1 hashes over:
- certificates with an EKU extension containing the id-kp-ocspSigning key purpose;
- intermediate certificates that chain up to roots in Mozilla's program;
- OCSP responses; or
- CRLs.
This may well be a red herring. But I don't see any insecure algorithms in the certificate chains themselves.
jedisct1 commented
I've never seen curl use GnuTLS. What operating system/distro is that? I guess Redhat/CentOS?
Stapling has been disabled. Can you try again?
jedisct1 commented
Looks like the actual issue is that GnuTLS doesn't support secp384r1.
I installed GnuTLS and it indeed was failing to connect, until I removed ssl_ecdh_curve secp384r1.
jedisct1 commented
Fixed by removing secp384r1.
daira commented
Thanks!
daira commented
What operating system/distro is that? I guess Redhat/CentOS?
Debian Trixie (13, currently testing).
$ which curl
/usr/bin/curl
$ curl --version
curl 8.9.0 (x86_64-pc-linux-gnu) libcurl/8.9.0 GnuTLS/3.8.6 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.2 libssh2/1.11.0 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0 librtmp/2.3 OpenLDAP/2.5.18
$ dpkg -S /usr/bin/curl
curl: /usr/bin/curl
$ dpkg -s curl
Package: curl
Status: install ok installed
Priority: optional
Section: web
Installed-Size: 575
Maintainer: Debian Curl Maintainers <team+curl@tracker.debian.org>
Architecture: amd64
Multi-Arch: foreign
Version: 8.9.0-1
Depends: libc6 (>= 2.34), libcurl3t64-gnutls (= 8.9.0-1), zlib1g (>= 1:1.1.4)
Description: command line tool for transferring data with URL syntax
curl is a command line tool for transferring data with URL syntax, supporting
DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,
POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
.
curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form
based upload, proxies, cookies, user+password authentication (Basic, Digest,
NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a
busload of other useful tricks.
Homepage: https://curl.se/
$ dpkg -s libcurl3t64-gnutls
Package: libcurl3t64-gnutls
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 1031
Maintainer: Debian Curl Maintainers <team+curl@tracker.debian.org>
Architecture: amd64
Multi-Arch: same
Source: curl
Version: 8.9.0-1
Replaces: libcurl3-gnutls
Provides: libcurl3-gnutls (= 8.9.0-1)
Depends: libbrotli1 (>= 0.6.0), libc6 (>= 2.36), libgnutls30t64 (>= 3.8.6), libgssapi-krb5-2 (>= 1.17), libidn2-0 (>= 2.0.0), libldap-2.5-0 (>= 2.5.4), libnettle8t64, libnghttp2-14 (>= 1.50.0), libnghttp3-9 (>= 0.15.0), libngtcp2-16 (>= 1.1.0), libngtcp2-crypto-gnutls8 (>= 1.1.0), libpsl5t64 (>= 0.16.0), librtmp1 (>= 2.3), libssh2-1t64 (>= 1.11.0), libzstd1 (>= 1.5.5), zlib1g (>= 1:1.1.4)
Recommends: ca-certificates
Breaks: libcurl3-gnutls (<< 8.9.0-1)
Description: easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl is an easy-to-use client-side URL transfer library, supporting DICT,
FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S,
RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
.
libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP
form based upload, proxies, cookies, user+password authentication (Basic,
Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling
and more!
.
libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported,
fast, thoroughly documented and is already used by many known, big and
successful companies and numerous applications.
.
SSL support is provided by GnuTLS.
Homepage: https://curl.se/