Hi. On Wed, May 04, 2016 at 11:58:56PM +0100, Ron Leach wrote: > On 04/05/2016 23:22, Reco wrote: > > >Considering that https://secure.gateway.gov.uk tells me about > >*selecting* a valid certificate - it could mean that your *client* > >became expired recently. > > I wondered. The application is a Python package distributed by UK TAX > authority and intended for electronic filing. > Are you thinking it might have its own 'certificate' which it has to > present?
It's possible. Embedding a client certificate into application (or distributing it alongside) is a bad practice, but they use Windows instead of a real server anyway. > But ... following some other earlier posts by folk using a web browser to > reach the url (and seeming to have success), I tried the same thing. With a > very up to date FF, I received: > > "Government Gateway Error - Access Denied (12202) > > Please ensure that you have selected a valid certificate and that you are > using the correct address. " > > I guess this is what you had, as well. Exactly. > I have done this several times, now, > with Firefox (once with Iceweasel) on Debian 7, D6 LTS, Fedora 23, MS Vista, > MS Win7, all different machines, on a few different IP addresses, and all > produce the same response. Do the Tax people mean that my Firefox(es) have > a certificate (I didn't know that)? I take it that they don't provide a client certificate for tax purposes in UK, and rely on username/password combo instead? > And that it is somehow 'invalid'? Every X.509 certificate has those "Not Before" and "Not After" fields. An expired certificate is the one that has "Not After" set in the past. To put it bluntly, X.509 is one of those things that certainly isn't getting better with age. > > Try this: > > > >openssl s_client -showcerts -connect secure.gateway.gov.uk:443 \ > >-CApath /etc/ssl/certs</dev/null > > > > Reco, here's the output. It looks ok, to me, unless I'm missing something. > Can I assume that the TLS handshake looks as though it ought to be ok - in > that we are not or would not reject or impair the negotiation? Yes, definitely. This result shows that secure.gateway.gov.uk uses the correct certificate chain, and your openssl trusts the root of it, which is (the issuer of depth 1 certificate): > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, > Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary > Certification Authority - G5 > Reco, thanks for having taken the time to think about it, grateful. You're welcome. Reco
