On Thursday 27 August 2015 22:14:43 Joel Rees wrote:
> I lost track of this thread somehow. Sorry.
>
> On Thu, Aug 20, 2015 at 11:39 PM, Frédéric Marchal
> <frederic.marc...@wowtechnology.com> wrote:
> > On Thursday 20 August 2015 07:53:33 Joel Rees wrote:
> >> Any chance it's the old problem with Google's chain to a root CA?
> >
> > Could you elaborate on this problem?
>
> http://arstechnica.com/information-technology/2015/04/google-let-root-certif
> icate-for-gmail-expire-causing-e-mail-hiccups/
>
> may or may not be what I was remembering about the CA.
Thanks. The link says Google let its certificate expires once. That's not the
problem I saw. My message was about the root certificate not being valid for
that purpose.
With little luck, it was much more benign than a hacker having his way with
the LAN.
> > Kmail just popped a warning this morning about an invalid google
> > certificate. Kmail claims that "the root certificate is not valid for
> > that purpose" (whatever that means)…
> >
> > I would like to know how to make sure whether it is safe to accept the
> > certificate or not.
> >
> > My employer's gateway may be providing a fake certificate to monitor the
> > SSL communication but I don't know how to tell if the certificate was
> > rewritten by the legitimate gateway or by a rogue third party or if
> > google messed up.
> Do you know how to manually verify a certificate?
Let's see if I did my homework correctly :-)
I get the certificate:
openssl s_client -connect imap.gmail.com:993
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
I download GeoTrust CA certificate from their web site:
wget https://www.geotrust.com/resources/root_certificates/<snip>.pem
Then I run this to verify the chain down to the third level:
openssl s_client -connect imap.gmail.com:993 -verify 3 -CApath .
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN =
imap.gmail.com
verify return:1
<...snip...>
Verify return code: 0 (ok)
Is this procedure valid?
May I use it next time kmail complains about the root certificate if I'm
running it from inside the LAN that might have been compromised? I wonder
about the wget step.
Thanks,
Frederic
