On Wed, May 4, 2016, at 01:54 PM, Lisi Reisz wrote: > On Wednesday 04 May 2016 18:40:01 William O'Malley wrote: > > On Wed, May 4, 2016, at 12:25 PM, Ron Leach wrote: > > > List, good afternoon, > > > > > > I'd appreciate some advice about how to fix an SSL error I'm hitting > > > while accessing a government website required for online filing. > > > Oddly, this error has just occurred, but we've been using the service > > > without difficulty for a few years. > > > > > > The SSL failure is reported by the application as an > > > "SSL Certificate Verification Error"; no other information. > > > > > > Using openssl -showcerts, a "verify error" is reported. Here's the > > > dialogue - I've skipped the bulk of the certificate texts. > > > > > > ron@debians5:~$ openssl s_client -showcerts -connect > > > secure.gateway.gov.uk:443 </dev/null > > > CONNECTED(00000003) > > > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of > > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > > Server CA - G3 > > > verify error:num=20:unable to get local issuer certificate > > > verify return:0 > > > --- > > > Certificate chain > > > 0 s:/C=GB/ST=London/L=London/O=Department for Work and > > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk > > > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > > Server CA - G3 > > > -----BEGIN CERTIFICATE----- > > > MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB > > > tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > > > [...] > > > T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ > > > iV/THI2bNvQl6In1tHt8rO8= > > > -----END CERTIFICATE----- > > > 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > > Server CA - G3 > > > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > > > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public > > > Primary Certification Authority - G5 > > > -----BEGIN CERTIFICATE----- > > > MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB > > > yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > > > [...] > > > W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4 > > > Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y= > > > -----END CERTIFICATE----- > > > --- > > > Server certificate > > > subject=/C=GB/ST=London/L=London/O=Department for Work and > > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk > > > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of > > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > > Server CA - G3 > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 3043 bytes and written 447 bytes > > > --- > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > Server public key is 2048 bit > > > Secure Renegotiation IS supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : TLSv1 > > > Cipher : AES256-SHA > > > Session-ID: 89[...]F6 > > > Session-ID-ctx: > > > Master-Key: 5A[...]93 > > > Key-Arg : None > > > Start Time: 1462378147 > > > Timeout : 300 (sec) > > > Verify return code: 20 (unable to get local issuer certificate) > > > --- > > > DONE > > > ron@debians5:~$ > > > > > > > > > I've updated the machine (using synaptic) with the latest > > > ca_certificates, but the error remains (this is the current output, > > > after certificate updates). > > > > > > The system was working fine last month, but seems to fail today. I'm > > > not familiar with the 'behind the scenes' workings of openssl and the > > > certificate chains, and would appreciate any insight into what might > > > be going wrong. > > > > > > regards, Ron > > > > Hi, > > > > Have you tried a different browser? I get the following error in Chrome > > when attempting to log in: > > > > == > > Sorry, you cannot register with, or log in to the Government Gateway > > using this certificate provider and web browser combination. These > > certificates are not currently supported on the Macintosh operating > > system and Netscape 6.x version browsers on all platforms. > > > > Other certificate providers may be added to the Government Gateway > > later. Please check this site regularly to find out which certificates > > can be used for online services. > > == > > > > The site works fine in IE 11. Looks like it is coded in MS ASP.NET, > > which makes sense. No access to a Debian box right now, unfortunately. > > I just logged in without a problem using Chromium "Version 37.0.2062.120 > Built > on Debian 7.6, running on Debian 7.10 (281580) (64-bit)" > > Lisi >
Version 50.0.2661.94 of Google Chrome here. -- Will
