This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] TLS error when the certificate is expired?
- Previous message (by thread): [atlas] New on RIPE Labs: RIPE Atlas Measurement Tagging
- Next message (by thread): [atlas] TLS error when the certificate is expired?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Apr 15 15:33:53 CEST 2018
I'm reasonably certain that it has been possible to use 'sslcert' measurements even when the certificate is expired. Today, I try to use 'sslcert' with trigger-happy.eu and it fails: "alert": { "description": 40, "level": 2 }, And no certificate in the JSON output (this is measurement #12166428) 40 is the very general "handshake failure" of TLS. <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6> Was there a change in Atlas recently? The TLS server does reply: % gnutls-cli trigger-happy.eu Processed 167 CA certificate(s). Resolving 'trigger-happy.eu:443'... Connecting to '51.254.210.94:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=trigger-happy.eu', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x0359a66c5eb5da799afe079f87416f8d9641, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-13 10:46:26 UTC', expires `2018-04-13 10:46:26 UTC', key-ID `sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435' Public Key ID: sha1:668c4506a393d9bb633590b68c05d878734d7ffe sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435 Public key's random art: +--[ RSA 2048]----+ | +. o++ | | o +*.=.. | | .=o* . . . | | * B o | | . = S . | | = . . | | + E | | . . | | | +-----------------+ - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', key-ID `sha256:60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18' - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate.
- Previous message (by thread): [atlas] New on RIPE Labs: RIPE Atlas Measurement Tagging
- Next message (by thread): [atlas] TLS error when the certificate is expired?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]