* Joseph <syscon...@gmail.com> [2010-10-23 12:50 -0600]:
I'm using command:
openssl s_client -connect pop.gmail.com:995 -showcerts
and it printed out:
--------copy---------------
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[...]
So I assume the first one is gmail.pem certificate
the second was was equifax.pem certificate
No. Both of those were sent by the Google server. The first is for the
server, and was issued by Google's own signing authority. The second
is the Google signing authority certificate, which is issued by Equifax.
Note the s: and i: lines for each cert.
(It's complicated but allowed by the standards.)
If the server were allowed to send a copy of a certificate authority's
cert as well as the server one, a bad guy could just forge the whole
chain and you'd accept it and never be the wiser. You're supposed to
get independent verification of the validity of the certificate
chain. That usually means that you get the cert from your OS vendor
at install time.
Please don't leave the mailing list off replies.
Breen
--
Breen Mullins
b...@sdf.org
