On 13/4/19 3:57 pm, Alexander V. Makartsev wrote: > On 13.04.2019 19:40, Tyler A wrote: >> Hi, >> >> I had trouble visiting these two websites in Firefox, Epiphany and >> verifying with OpenSSL. >> >> - Births Deaths and Marriages (Government of South Australia) >> https://bdm.cbs.sa.gov.au/bdmsaonline/dbweb.asp?dbcgm=1&prprc=oac >> >> - Hostplus Superannuation Fund >> https://hostplus.com.au/ >> >> ... > I can access both sites without any problems with my browser (Firefox).
Keep in mind, you must do this in a new profile. If you've ever visited a website which has used the certificate it will be cached, and the site will work. Firefox does not download the cert from the AIA link like IE/Chrome does. So if you have Chromium, that will work. This masks the issue. This particularly effected me because I used a amnesic environment ie debian-live-9.8.0-amd64-gnome.iso > AFAIK, intermediate certs are not required to be installed, if they are > valid and pass the check with Issuer Root CA cert. > Only private certificates, that identify your client, are required to be > installed, if remote server was configured to use them. Which is not the > case for public web servers. > Here [1] is the output from openssl for one connection attempt for both > sites. You seem to have some strange results there: > $ openssl s_client -connect hostplus.com.au:443 2>&1 > > depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA > verify return:1 > depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - > G3 > verify return:1 > depth=0 C = US, ST = Delaware, L = Dover, O = Incapsula Inc, CN = > incapsula.com > verify return:1 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com > i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 > 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 > i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA Whereas: I got: > $ openssl s_client -connect hostplus.com.au:443 2>&1 > CONNECTED(00000003) > depth=0 CN = *.hostplus.com.au > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 CN = *.hostplus.com.au > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:CN = *.hostplus.com.au > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA > 2018 As for your other example: > $ openssl s_client -connect bdm.cbs.sa.gov.au:443 2>&1 > > depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA > verify return:1 > depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - > G3 > verify return:1 > depth=0 C = US, ST = Delaware, L = Dover, O = Incapsula Inc, CN = > incapsula.com > verify return:1 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com > i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 > 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 > i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA I got: > $ openssl s_client -connect bdm.cbs.sa.gov.au:443 2>&1 > CONNECTED(00000003) > depth=0 C = AU, L = Adelaide, O = Attorney General's Department, OU = > Consumer and Business Services, CN = bdm.cbs.sa.gov.au > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = AU, L = Adelaide, O = Attorney General's Department, OU = > Consumer and Business Services, CN = bdm.cbs.sa.gov.au > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:C = AU, L = Adelaide, O = Attorney General's Department, OU = Consumer > and Business Services, CN = bdm.cbs.sa.gov.au > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018 I got the same certificates from a European VPN as I did from in Australia (not what you got) which appears to be a CDN. > Just to rule out possibility of any network misconfiguration, try to > access both sites via Tor network or Opera browser's VPN feature, and > without proxy server, if you use one. > And no they didn't work on Tor on Tails either. -- Tyler (tya99) rsa4096/0x9C9954F88E388859
