November 2019

S M T W T F S
      12
34 5 678 9
10111213141516
17181920212223
24252627282930

Navigation

Page Summary

Style Credit

Expand Cut Tags

No cut tags

Вам, юные криптографы

dil: (Default)
[personal profile] dil
Tuesday, February 26th, 2008 04:06 pm
Попробуйте определить, чем подписан этот сертификат. В смысле, каким конкретно доверенным корневым сертификатом.

-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIRAO7B3AK2COUftYePLPg/lu8wDQYJKoZIhvcNAQEFBQAw
gdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UE
CxMUQ29tb2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25k
aXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkx
HzAdBgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9k
byBDbGFzcyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMB4XDTA2MDgzMTAwMDAwMFoX
DTA4MDgzMDIzNTk1OVowgcwxCzAJBgNVBAYTAlJVMQ8wDQYDVQQREwYxMTEwMzMx
GzAZBgNVBAgTElJ1c3NpYW4gRmVkZXJhdGlvbjEPMA0GA1UEBxMGTW9zY293MQ8w
DQYDVQQJEwZNT1NDT1cxHjAcBgNVBAkTFVNhbW9rYXRuYXlhIDEgYmxkZyAyMTET
MBEGA1UEChMKT09PIFlhbmRleDEMMAoGA1UECxMDTk9DMREwDwYDVQQLEwhFbGl0
ZVNTTDEXMBUGA1UEAxMOc210cC55YW5kZXgucnUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMIjtOLBSxqW5y7x0XcGkNbfNNuHtOiGKYOCBsDx5RaqQ4EuyyIf
LSp/m0GU0eZlb/O+mc77OUKJA1ls0yT0Ndms1XNhf1FHtuGi9sH1lHuOGumc9EwU
kOomIntjV+oFkO50glUsrJseXzFfmoNikZwnCy+QeDPvhy4pVvPFHE6FAgMBAAGj
ggGPMIIBizAfBgNVHSMEGDAWgBQ24Oh8bZ1Fke6Z5UJ2TXCzUDCsXjAdBgNVHQ4E
FgQUs0TRS5Wxg8GYoTyENrsXntFSkhwwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB
AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB
Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDig
NqA0hjJodHRwOi8vY3JsLmNvbW9kby5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNl
c18zLmNybDA6oDigNoY0aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ2xhc3MzU2Vj
dXJpdHlTZXJ2aWNlc18zLmNybDAtoCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2aWNl
c18zQGNybC5jb21vZG8ubmV0MA0GCSqGSIb3DQEBBQUAA4IBAQAe0qOi/VaXrTEP
Pwe3iuy/8gK5u5G1ViNJEfa+nrBDSyN9RHmqbPUPkBrryExENrwSabd2Ib13PpX4
Yo/nNz2lt63YM64Qk3HYxQyDf0fKHabIlQXl84gjs7hDlx6Z5dy016LkApov6nee
wAF5QA140NVpPZgAO+01iAIe3SmH59MywWLLuoL8cQ0wSE/abUSJHGFLSKo9c3Oj
NGEaWXaVAaamvlYdRplccldFPeo2vIVLEgV8x4CxkMAiJnpjT549WInUp3q0T/Tf
zpkUs5x5wuNywXQQkMjLGLbGjFS8pwgHbS9LHnnXIrqkBTDKZETJvQ5kMAOGk9Hb
TkpE3YIL
-----END CERTIFICATE-----

Желающие получить его самостоятельно, могут запустить несложную команду
openssl s_client -connect smtp.yandex.ru:25 -starttls smtp

TWIMC: тикет 200802199007965. От 19 февраля.
Tags:
Flat | Top-Level Comments Only

[identity profile] maria-gorbatova.livejournal.com
Tuesday, February 26th, 2008 04:24 pm (UTC)
Comodo Limited какое-то... (?)

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 04:34 pm (UTC)
Не, ну вообще http://www.comodo.com/ - известная компания.
Вопрос в том, каким конкретно корневым сертификатом подписан этот.

[identity profile] dmarck.livejournal.com
Tuesday, February 26th, 2008 04:39 pm (UTC)
Он подписан не корневым, а

Issuer: C=GB, O=Comodo Limited, OU=Comodo Trust Network, OU=Terms and Conditions of use: http://www.comodo.net/repository, OU=(c)2002 Comodo Limited, CN=Comodo Class 3 Security Services CA

Или я не про то?
Edited 2008-02-26 04:39 pm (UTC)

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 04:41 pm (UTC)
Да, примерно про то. А как проверить его подлинность?

[identity profile] dmarck.livejournal.com
Tuesday, February 26th, 2008 04:47 pm (UTC)
А это тебе openssl сам пишет:

marck@woozle:~> openssl s_client -connect smtp.yandex.ru:25 -starttls smtp
CONNECTED(00000003)
depth=0 /C=RU/2.5.4.17=111033/ST=Russian Federation/L=Moscow/2.5.4.9=MOSCOW/2.5.4.9=Samokatnaya 1 bldg 21/O=OOO Yandex/OU=NOC/OU=EliteSSL/CN=smtp.yandex.ru
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=RU/2.5.4.17=111033/ST=Russian Federation/L=Moscow/2.5.4.9=MOSCOW/2.5.4.9=Samokatnaya 1 bldg 21/O=OOO Yandex/OU=NOC/OU=EliteSSL/CN=smtp.yandex.ru
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=RU/2.5.4.17=111033/ST=Russian Federation/L=Moscow/2.5.4.9=MOSCOW/2.5.4.9=Samokatnaya 1 bldg 21/O=OOO Yandex/OU=NOC/OU=EliteSSL/CN=smtp.yandex.ru
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=RU/2.5.4.17=111033/ST=Russian Federation/L=Moscow/2.5.4.9=MOSCOW/2.5.4.9=Samokatnaya 1 bldg 21/O=OOO Yandex/OU=NOC/OU=EliteSSL/CN=smtp.yandex.ru
   i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA


Я к тому, что цепочки проверять надо разрешать отдельно.
Edited 2008-02-26 04:48 pm (UTC)

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 04:55 pm (UTC)
А откуда, собственно, цепочку брать?

[identity profile] dmarck.livejournal.com
Tuesday, February 26th, 2008 04:57 pm (UTC)
А вот это я как-то не очень понимаю.

С другой сторону, если ты скажешь

openssl s_client -connect ctl.rinet.ru:443

то получишь примерно то же самое.

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 05:08 pm (UTC)
А вот если его сохранить в файл, то
$ openssl verify ctl.rinet.ru.pem
ctl.rinet.ru.pem: OK

Для сравнения:
$ openssl verify smtp.yandex.ru.pem
smtp.yandex.ru.pem: /C=RU/postalCode=111033/ST=Russian Federation/L=Moscow/streetAddress=MOSCOW/streetAddress=Samokatnaya 1 bldg 21/O=OOO Yandex/OU=NOC/OU=EliteSSL/CN=smtp.yandex.ru
error 20 at 0 depth lookup:unable to get local issuer certificate

[identity profile] dmarck.livejournal.com
Tuesday, February 26th, 2008 04:36 pm (UTC)
А в чем проблемы?

Опять же,

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
                  CPS: https://secure.comodo.net/CPS

            X509v3 CRL Distribution Points: 
                URI:http://crl.comodo.net/Class3SecurityServices_3.crl
                URI:http://crl.comodoca.com/Class3SecurityServices_3.crl
                email:Class3SecurityServices_3@crl.comodo.net

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 04:43 pm (UTC)
Ага. А Authority Information Access ты там видишь?

[identity profile] http://users.livejournal.com/_caspy/
Tuesday, February 26th, 2008 05:47 pm (UTC)
$ cat qq.pem
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKjCCBJOgAwIBAgIEAgACmjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTAyMDgyNzE5MDIwMFoXDTEyMDgyNzIzNTkwMFowgdwxCzAJ
BgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29t
b2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25z
IG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNV
BAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFz
cyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA8gy2z4eE6gpxFFIt6FdcSVI6z8PwQm1i8v6m6T48eGQDDiB+a2tp
h4lUOAX02scFQAUYd378a4sOHKKCzKyFmznpy0tIGEhrKOTC0VuuA6l+mC9ME3Hf
sCkMTqqmNyY4udBEUoKQPnBI1nqbCQe8lOT0VSzytyq+HJEcaouDTTVsEOFz2iHZ
YtjxGbDx5yCNtZdHI0tqgTUbr0jgNqiQTE1M7PWIzsax0C//eZAB2FFk5y+xCI1d
z636soCWq6yLtUy0dMJHE+3oIzH0KrlhG73OpFs3Mb3lnJz7sg/XxTu/zFqrD8iG
QIkippAg07NsvhLz4yAsu8GuQ1raFnboHwIDAQABo4IB2TCCAdUwRQYDVR0fBD4w
PDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JM
LzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUNuDofG2dRZHumeVCdk1ws1AwrF4wgZIG
A1UdIASBijCBhzBJBgoqhkiG+GMBAgEFMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
d3cucHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDA6BgwrBgEEAbIx
AQIBAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UDCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMCsG
A1UdEAQkMCKADzIwMDIwODI3MTkwMjI0WoEPMjAwOTA4MjcyMzU5MDBaMA4GA1Ud
DwEB/wQEAwIB5jAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBADoe
JG/a2zZs/jpzOd3NahxpoQAfb9Su1R/UiCmlIcJX9lV7MOfSZNYOxKpwPHZ04iqu
x0ZnMpLJS/Gn1+BWvPZyEJ1/sHXWnVe1cYWqxDqnS7jsD+bS+P+1zdRFJazqBqeK
tc0yIuQhkhvvzjSuMEQa7pt/8JQRhoqHGQEoOs+z
-----END CERTIFICATE-----

$ openssl verify -CAfile qq.pem smtp.yandex.ru.pem
smtp.yandex.ru.pem: OK


А уж (самоподписанному) 'GTE CyberTrust Global Root' придется поверить, сам понимаешь почему. :)

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 09:52 pm (UTC)
Какой-такой GTE? Там issuer=/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA

[identity profile] dil.livejournal.com
Tuesday, February 26th, 2008 10:02 pm (UTC)
Ага, понял. Но у комодо есть три своих корневых сертификата, чего ж они подписали не ими??

[identity profile] http://users.livejournal.com/_caspy/
Wednesday, February 27th, 2008 08:16 am (UTC)
Этого я тебе с уверенностью не скажу, но у меня сложилось впечатление, что этим транзитным Class3 они подписывают всякие дешевые InstantSSL и т.п. пакеты. Ну или как минимум делали это до некоторых недавних пор.
Flat | Top-Level Comments Only