自版本38起出现的Firefox中的“安全连接失败”如何解决?


9

由于我将Firefox升级到了38版本,因此在网站https://usercenter.checkpoint.com/上发送特定表格时遇到了问题,大多数网站都可以正常工作,但是在打开支持通知单时会发送表格(以下日志中的URL) )导致Firefox未能通过TLS协商。Firefox的错误页面几乎无法解释:

安全连接失败

页面加载时重置了与服务器的连接。

  • 您尝试查看的页面无法显示,因为无法验证所接收数据的真实性。
  • 请与网站所有者联系,以告知他们该问题。

报告此错误

报告usercenter.checkpoint.com的地址和证书信息将有助于我们识别和阻止恶意网站。感谢您帮助创建更安全的网站!

将来自动报告错误 了解更多信息…

Web开发人员控制台中,我仅看到以下内容:

19:58:44.470 This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.1 AjaxCall
19:58:44.589 POST https://usercenter.checkpoint.com/usercenter/portal/js_pane/supportId,CreateServiceRequestId [178ms]

第一行只是警告,将来将不支持SHA-1。我是否必须打开某些电源才能查看TLS失败的原因?来自控制台的TLS和证书信息如下:

TLS和证书信息

我在那里没有发现任何问题。出于绝望,我尝试使用TLS参数about:config没有成功:

security.tls.insecure_fallback_hosts
security.tls.unrestricted_rc4_fallback
security.tls.version.fallback-limit
security.tls.version.max
security.tls.version.min

Qualy SSL测试没有显示出完全错误的内容:https ://www.ssllabs.com/ssltest/analyze.html?d=usercenter.checkpoint.com

红帽知识库中有一篇很有希望的文章:Firefox 38和SSL / TLS服务器不支持TLS版本,但该解决方案仅适用于付费客户。

我还检查了Firefox 38的站点兼容性

问题

  • 如何排除TLS失败的原因是什么?
  • 在Firefox中,还有其他用户可配置的白名单,我可以在其中尝试添加失败网站的地址吗?
  • 控制台显示POST请求usercenter.checkpoint.com与先前成功的通信到达同一主机时,仅在发送某种形式后才出现失败的原因可能是什么?

我看到的唯一问题是“页面加载时重置了与服务器的连接。” 当然,与SSL完全无关。
Daniel B

另请参阅Firefox / Mozilla博客上的使用1024位RSA密钥逐步淘汰证书。链中使用的CA根为1024位。
jww 2015年

@pabouk与
RogUE 2015年

断开互联网连接,然后尝试加载任何网页;你看到了什么?
RogUE 2015年

如果Mozilla 在信任库中拥有新的 VeriSign 3类公共主要证书颁发机构-G5,则这是Mozilla错误。重新颁发了证书,并将其从下级CA升级为具有不同序列号的自签名根CA。{Distinguished Name, Serial Number}使证书唯一,因此可以明确选择它;参见RFC 4158。但是请注意以下有关选择它的注意事项,因为这不是一件容易的事。同样,Checkpoint 不应将旧的G5证书作为链的一部分发送。
jww 2015年

Answers:


4

自版本38起出现的Firefox中的“安全连接失败”如何解决?

使用openssl s_client。这是瑞士军刀之类的东西。并用于openssl x509转储证书。

您通常会对{Issuer, Subject}链中的配对感兴趣,如下所示:

Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

请注意,服务器上的颁发者如何成为下一个更高证书的主题。Gutmann在他的《工程安全》一书中提供了以下图表来描述它:

在此处输入图片说明

在顶部,CA根是自签名的,并且问题和主题相同。如果存在3级,它将是:

 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

但是您通常不会在链中看到它,因为您必须信任它。信任锚的部分要求是您已经拥有它,以确保不被篡改。


使用主题和颁发者名称正在利用所谓的专有名称。形成链的另一种方法是使用KEYIDs。您有时会通过主题密钥标识符(SKI)和授权密钥标识符(AKI)看到它。密钥标识符只是摘要的公共密钥的指纹。

您可以在RFC 4514等标准中找到有关专有名称的内容;并在RFC 4518之的标准中使用KEYID,它与路径构建有关。


看来问题出在浏览器上(但请参见下文)。看起来好像缺少Class 3 Public Primary Certification Authority指纹a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

当我访问Symantec Root Certifcates并下载Class 3 Public Primary Certification Authority时,我可以构建一个验证路径(请注意Verify return code: 0 (ok)以下内容)。

您应该下载并安装Class 3 Public Primary Certification Authority在浏览器的受信任根存储中。或者确定为什么浏览器不使用它来构建路径(请参见下一个)。

Mozilla和Firefox Class 3 Public Primary Certification Authority在博客文章中谈到:逐步淘汰具有1024位RSA密钥的证书。根据该帖子,他们从Firefox 32开始就不再使用该CA证书。由于这些密钥长期用于CA签名操作,因此我并没有错,因为它们必须使用10到30年,因此它们需要“更强”的参数(字面意思)。

Checkpoint需要获得在具有最新参数的证书(链)下颁发的新服务器证书,例如具有4096位RSA模数和SHA-256的CA。或具有2048位RSA模数和SHA-256的从属CA ...

(另请参阅下文对我不起作用的内容)。


这是使用OpenSSL 通过Class 3 Public Primary Certification Authority验证服务器证书的示例s_client

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -CAfile Class-3-Public-Primary-Certification-Authority.pem 
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = San Carlos, O = Check Point Software Technologies Inc., OU = MIS-US, CN = usercenter.checkpoint.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 141BB5DD85FA61CC85E5C8368DED9EB9C7C6427D7F655F8DD778EEB003F9EBE7
    Session-ID-ctx: 
    Master-Key: 84261799D242992FE44D48F39F1A10CFCE5BE60E1A900CC3E6BFFD368DAB68A439287C81DC9510871963EF8E3366FFE3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432323605
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

前面我曾说过:“在顶部,CA根是自签名的,问题和主题是相同的”。这是该自签名CA根的转储,主题和颁发者相同。它还显示了1024位模和sha1WithRSAEncryption。

$ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -inform PEM -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  2 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
                    db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
                    11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
                    1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
                    63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
                    42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
                    5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
                    e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
                    71:64:4c:65:2e:81:68:45:a7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21:
         19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73:
         03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d:
         0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60:
         1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6:
         48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8:
         38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce:
         88:90

之前我曾说过:“ Checkpoint需要获得具有现代参数的证书(链)下颁发的新服务器证书,例如具有4096位RSA模数和SHA-256的CA。或者具有2048位RSA模数的从属CA,以及SHA-256 ...”

下面是没有工作对我来说:生根或更强的下属CA锚固信任VeriSign Class 3 Public Primary Certification Authority - G5,而不是更弱1024位根CA.

编辑:这是由于OpenSSL 1.0.2a及以下版本中的错误所致。它已在OpenSSL 1.0.2b中修复。参见将链中的下属提升为自签名根时的预期行为以进行验证?

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -CAfile VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem 
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 736B3105DB22F2AB0F5D42C8161A8A132BF1E7C37464BB2F0D00058B867332EB
    Session-ID-ctx: 
    Master-Key: BDD5D4951E3FD01C3C456D475EAE6D0D5CE53FBF75B4F6F3D4D186A27B566D75056057D5395F35AE3BA8D20A669212C2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432324811
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

实际的问题是Symantec重新发行了具有相同名称和相同公共密钥的证书,因此可分辨名称主题密钥标识符授权密钥标识符 没有变化。但仅更改序列号

由于链中发送的证书与从Symantec站点下载的证书之间的序列号不同,因此我能够在下面找到它。然后很明显,重新颁发的证书已从下级CA更改为根CA。


您可以使用-showcertsOpenSSL s_client来查看链中的证书:

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -showcerts
CONNECTED(00000003)
...
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
...

我接下来通常要做的是将链中的PEM编码的证书复制到剪贴板,然后用于pbpaste粘贴到终端并将其通过管道传输到OpenSSL的x509。例如,以下是第2级VeriSign Class 3 Public Primary Certification Authority - G5作为链的一部分发送的:

$ pbpaste | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ...

1

通过在地址栏中键入about:config,然后选择“我会小心,我保证!”来解决此问题。按钮。此时,双击security.tls.insecure_fallback_hosts选项,然后添加您要访问的地址。

我必须从我的地址中删除“ https:\”(两个反斜杠,超级用户删除了我的第二个反斜杠),然后它才能起作用,但是您的结果可能有所不同,因此请尝试两者。

从Firefox 43.0.1版开始,这是准确的。


正如我在问题中已经写道的,security.tls.insecure_fallback_hosts情况并非如此。后来在评论中写道,问题出在服务器端。服务器正在关闭连接。
pabouk '16

0

(从其他答案中得出)在这种情况下,Symantec在选择VeriSign 3类公共主要证书颁发机构-G5时,需要修复其破碎的“根证书”页面或提供正确的证书以供下载。

如果你看一下威瑞信3级公用主证书颁发机构- G5在链提供openssl s_client ... -showcerts威瑞信3级公用主证书颁发机构- G5可供下载,你会看到他们是不同的证书。因此,Verisign重新颁发了具有相同专有名称和主题公钥的证书

VeriSign 3类公共主要证书颁发机构-G5的链式版本具有以下序列号,并且不是自签名的(请注意,主题和颁发者不同):

$ pbpaste | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Nov  7 23:59:59 2021 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
...

从下载版本的Symantec根证书威瑞信3级公用主证书颁发机构- G5 具有以下序列号,这自签名的(注意主题和发行人是相同的):

$ openssl x509 -in VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Jul 16 23:59:59 2036 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
...

实际上,这里只有一个解决方法。

Checkpoint应该停止发送旧版本的 VeriSign Class 3公共一级证书颁发机构-链中的下属G5

那是因为在实践中,由于旧的G5证书新的G5证书太相似,因此验证路径和选择证书的人会感到困惑。它们太相似了,因为它们使用相同的专有名称和相同的主题密钥标识符 / 授权者密钥标识符


从理论上讲,您可以从服务器发送的链中提取旧的G5证书,并将其放入Mozilla信任存储中。但是我强烈怀疑它会使尝试建立路径的用户代理程序感到困惑,因为唯一更改的是序列号。

要了解混淆,请查看RFC 4158以及如何选择证书。一种方法是{Distinguished Name, Serial Number}元组。但是,正在验证的证书包含颁发者的序列号。它仅包括专有名称授权密钥标识符

第3.5.12节“匹配密钥标识符(KID)”确实指定:

如果当前证书在AKID中表示颁发者名称和序列号,则与这两个标识符匹配的证书具有最高优先级。

但是它不是必需的,Symantec提供的warez也缺少它。要直接查看,请转储链中发送的Level 1中间体。它称为VeriSign 3类安全服务器CA-G3。注意它有一个授权密钥标识符,但是没有序列号

$ pbpaste | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Feb  8 00:00:00 2010 GMT
            Not After : Feb  7 23:59:59 2020 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
                    a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
                    bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
                    9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
                    5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
                    f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
                    4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
                    ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
                    0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
                    86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
                    98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
                    ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
                    fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
                    9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
                    c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
                    9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
                    4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
                    fa:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/cps
                  User Notice:
                    Explicit Text: https://www.verisign.com/rpa

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.verisign.com/pca3-g5.crl

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            1.3.6.1.5.5.7.1.12: 
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 Subject Alternative Name: 
                DirName:/CN=VeriSignMPKI-2-6
            X509v3 Subject Key Identifier: 
                0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
            X509v3 Authority Key Identifier: 
                keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

    Signature Algorithm: sha1WithRSAEncryption
         0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
         a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
         e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
         33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
         f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
         19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
         27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
         a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
         b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
         d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
         95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
         98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
         05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
         9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
         a4:c4:cb:66
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.