s3rac

web (Archived) Untrusted SSL Certificate on https://evernote.com

4 posts in this topic

It appears that https://evernote.com is triggering browser certificate trust warnings due to presentation of an incomplete certificate chain:

marvin:~$ openssl s_client -showcerts -tls1 -connect evernote.com:443

CONNECTED(00000003)

depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Mountainv View/O=Evernote, Corp./OU=Terms of use at www.verisign.com/rpa ©05/CN=evernote.com

i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3

-----BEGIN CERTIFICATE-----

MIIFtTCCBJ2gAwIBAgIQZ4F8zoBL2kBNdv18FUFKNzANBgkqhkiG9w0BAQUFADCB

tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm

VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNDI3

MDAwMDAwWhcNMTgwNDI4MjM1OTU5WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgT

CkNhbGlmb3JuaWExFzAVBgNVBAcUDk1vdW50YWludiBWaWV3MRgwFgYDVQQKFA9F

dmVybm90ZSwgQ29ycC4xMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVy

aXNpZ24uY29tL3JwYSAoYykwNTEVMBMGA1UEAxQMZXZlcm5vdGUuY29tMIIBIjAN

BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvMNo3MAtbyGBdFJf2IaSYi6GKLc2

VfJ/v6O4c86fORKz2LTP7ssaiPBZAI0JAorAHmKVR25PswYaBL1WGjbQaGzKo2Xl

cfdWIp8/AB0N3/3e1Icu9/uYXO8uFnURoodes0C0PVp/WLKDOzipKY2sToTGJqgF

IUvVOCoF8nKFA1sihePmFeo4m8ndS+vkROyurxpaDf/u15A0QzeADP7WoNpnKqKV

HbsjFcLsGgjzQfUUQ+TgvlBLfa/fwoS6vQkzsNoj4fiNDI/xb80Gh1jD7oQ5+R+d

K479fxoYDl+hqBRR3SDXBIKihYosJdYh5dj/4FSTMgrtNlGcW8Bv4qRi1QIDAQAB

o4IB0TCCAc0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRQYDVR0fBD4wPDA6oDig

NoY0aHR0cDovL1NWUlNlY3VyZS1HMy1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3Vy

ZUczLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEW

HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUH

AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYG

CCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24u

Y29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2ln

bi5jb20vU1ZSU2VjdXJlRzMuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW

CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYW

JGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0B

AQUFAAOCAQEAeVm/V/CJDovv1/a78gUCrVA57B4nGM71lVgMuR9gFIAOolpBWnr5

iSlFoThf7mIEWnlXT5HU5OlUj7A6ArZFWQBBXJftrwYApkRQas9hg1n/MHt2bgjc

4hmqAVMNp5ljXzJwOL9hZ1SgA0xo0X2TqoVSW/WzX4TCEUC1Kuc3UaqVdlGpgz7f

JDt/314laXHheegJo0f8X+AU7iDIivSCG7SaoWEkMSLv2r2izVYLc9iKtscM4EQo

dtmbMpt161z9S2wH9YA1jR5X46SaZ0vWStZ8sQyreIxRnIZFxXKdw8eugK0JEUSn

U+sVZFszRIsGub+b5HY1833nN6vo76RNPA==

-----END CERTIFICATE-----

1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©09/CN=VeriSign Class 3 Secure Server CA - G2

i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=© 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network

-----BEGIN CERTIFICATE-----

MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB

wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL

EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5

IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1

dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv

cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC

VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU

cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93

d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh

c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB

DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu

7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/

RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX

gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI

XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4

3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF

BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS

BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo

BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF

BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw

KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud

DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw

ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n

by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE

AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX

LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK

Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy

eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5

OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD

VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G

CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu

OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e

YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=California/L=Mountainv View/O=Evernote, Corp./OU=Terms of use at www.verisign.com/rpa ©05/CN=evernote.com

issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3

---

No client certificate CA names sent

---

SSL handshake has read 3202 bytes and written 540 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : RC4-SHA

Session-ID: 4FE2020EFC43F125914B444D6273E0855E54780B2E5FC5C774EA0E7444D8B524

Session-ID-ctx:

Master-Key: 13A9D0DEAC347E8BC987FAFE7DFB555B7A1FDF9FF51BC3C9A1C243D2971295AF958E6579FB269C0E13D673D7FFC4A0BF

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1340211726

Timeout : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

Note in the output above that there is no entry in the certificate chain for "Class 3 Public Primary Certification Authority - G2," which I believe is the problem. I believe that PKIX validation routines require the root self-signed certificate to be at the end of the chain, and in light of that requirement, the absence would explain the trust error I observed.

Share this post


Link to post

I believe this may be a transient problem. I closed my browser to clear the SSL warning selection that I clicked through initially with the intention to get a screen shot to attach to this post. Now the cert appears trusted and the cert chain looks well-formed according to Google Chrome. I should also note that when I encountered this problem initially Chrome only showed the head cert, unlike the OpenSSL output that showed a chain of two certs. I'm wondering if the apparent certificate configuration problem is only affecting some of the hosts in the pool.

Share this post


Link to post

A similar certificate problem happened to me.

I wasn't consistent in how I accessed the site:

https://evernote.com/

https://www.evernote.com/

To you and me, both links above are the same site, but the certificate doesn't know that, and so they're counted as two separate sites.

Evernote fixed this bug a while ago, which is good. I wonder if this new certificate problem could be related, though? It still works fine for me, though, I haven't had any certificate problems in a long time.

Josh

Share this post


Link to post

The problem I observed is a certificate trust problem due to improper chain construction, while the problem you observed is a hostname mismatch. (By convention most browsers require the DNS name of a site to match the CN of the certificate subjectDN or subjectAltName fields.) The two problems are related in that they are both common SSL configuration problems, but in technical terms they have fairly different causes.

Share this post


Link to post
Guest
This topic is now closed to further replies.