search

18F / fpki-testing

Testing out Federal PKI certificate chains.
Other
7 stars 4 forks source link

Inconsistency in accessing data via IPv6 for Treasury #3

Open grandamp opened 8 years ago

grandamp commented 8 years ago

Creating this issue due to problems observed in Issue 2.

Example: openssl s_client -connect test1.fpki.18f.gov:443 -servername test1.fpki.18f.gov

Re: Requests for CRLs and OCSP responses appear to yield different results if using IPv6 -vs- IPv4

@konklone Assuming the hostname test1 is intended to demonstrate the path to the Common Policy Root CA? (distributed via Microsoft, not Mozilla)

eric commented 8 years ago

You have the wrong eric.

konklone commented 8 years ago

@grandamp test1 is the "control", only the bare end entity certificate is served, no chain.

grandamp commented 8 years ago

Thank you! Got the wrong Eric due to my lack of attention. apologies

grandamp commented 8 years ago

Is there a more appropriate reference for the path made with certificates from: https://pki.treas.gov/toca_fullpath.p7b ?

grandamp commented 8 years ago

Though the following server (and associated cert, and cert path) are not a part of this testing, it represents a perfect use case of the issue:

https://pki.treasury.gov/

When accessing via IPv4, there appears to be no issues with the path in a Microsoft browser, as the "Common Policy Root CA" is distributed via Microsoft (and the path is trusted by Microsoft's browsers).

-however-

Validation of the paths when limited to IPv6 appears to be problematic.

Here is a complete disclosure of the path using OpenSSL:

openssl s_client -connect pki.treasury.gov:443 -servername pki.treasury.gov
CONNECTED(00000003)
depth=3 C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Fiscal Service/OU=Devices/CN=pki.treas.gov
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
 1 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
 2 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
 3 s:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHlDCCBnygAwIBAgIEVFZlczANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC
VVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEjMCEGA1UECxMaRGVwYXJ0bWVu
dCBvZiB0aGUgVHJlYXN1cnkxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y
aXRpZXMxEDAOBgNVBAsTB09DSU8gQ0EwHhcNMTUwNDEwMTU1NzM4WhcNMTgwNDEw
MTYyNzM4WjCBnTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVu
dDEjMCEGA1UECxMaRGVwYXJ0bWVudCBvZiB0aGUgVHJlYXN1cnkxJTAjBgNVBAsT
HEJ1cmVhdSBvZiB0aGUgRmlzY2FsIFNlcnZpY2UxEDAOBgNVBAsTB0RldmljZXMx
FjAUBgNVBAMTDXBraS50cmVhcy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDHJzYjjEnEi/UBUVokkO9uWuDAbgrSqpprt389A3DYRrJXFYHr84/T
GUjarT3sek2glfHcvpZU5lvPes39TugCQh2tm5BTbHIdK8pYhBPmv9c5pyRwVgu3
1k+aCShPkP+K8dWjxchND5WgD5xtmI3Q2H8dDTNEWAkByVUTn1TQneCs29MyK3WM
sMWIgb8EkTJDQB9EAT/Z9tg0gETMi7CnGXitkzZrKkaHpSdLLuB9D7QCJUU+skTt
sgFSJRrHfFlFUmD/B+7Os8s8YPuBIc+Sr9PaoqRlDhlCzLVV3hCz1IH+spmDjvBd
D9GBCxRnU0cq6A2mXdNNolyh+Jlx8QA5AgMBAAGjggPzMIID7zAOBgNVHQ8BAf8E
BAMCBaAwFwYDVR0gBBAwDjAMBgpghkgBZQMCAQUDMBEGCWCGSAGG+EIBAQQEAwIG
QDATBgNVHSUEDDAKBggrBgEFBQcDATCCAQgGCCsGAQUFBwEBBIH7MIH4MDAGCCsG
AQUFBzAChiRodHRwOi8vcGtpLnRyZWFzLmdvdi90b2NhX2VlX2FpYS5wN2MwgaAG
CCsGAQUFBzAChoGTbGRhcDovL2xkYXAudHJlYXMuZ292L291PU9DSU8lMjBDQSxv
dT1DZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsb3U9RGVwYXJ0bWVudCUyMG9m
JTIwdGhlJTIwVHJlYXN1cnksbz1VLlMuJTIwR292ZXJubWVudCxjPVVTP2NBQ2Vy
dGlmaWNhdGU7YmluYXJ5MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC50cmVhcy5n
b3YwewYDVR0RBHQwcoEcY3NhLXRlYW1AZmlzY2FsLnRyZWFzdXJ5LmdvdoIQcGtp
LnRyZWFzdXJ5LmdvdoIQcGtpLmRpbWMuZGhzLmdvdoINcGtpLnRyZWFzLmdvdoEf
ZWNiLWhvc3RpbmdAZmlzY2FsLnRyZWFzdXJ5LmdvdjCCAYkGA1UdHwSCAYAwggF8
MCegJaAjhiFodHRwOi8vcGtpLnRyZWFzLmdvdi9PQ0lPX0NBMy5jcmwwggFPoIIB
S6CCAUekgZcwgZQxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1l
bnQxIzAhBgNVBAsTGkRlcGFydG1lbnQgb2YgdGhlIFRyZWFzdXJ5MSIwIAYDVQQL
ExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRAwDgYDVQQLEwdPQ0lPIENBMRAw
DgYDVQQDEwdDUkwxNDA5hoGqbGRhcDovL2xkYXAudHJlYXMuZ292L2NuPUNSTDE0
MDksb3U9T0NJTyUyMENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxv
dT1EZXBhcnRtZW50JTIwb2YlMjB0aGUlMjBUcmVhc3VyeSxvPVUuUy4lMjBHb3Zl
cm5tZW50LGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwKwYD
VR0QBCQwIoAPMjAxNTA0MTAxNTU3MzhagQ8yMDE4MDQxMDE2MjczOFowHwYDVR0j
BBgwFoAUohOo5cYHVGwkPU63Kyeip3Eata8wHQYDVR0OBBYEFLCGnBLCk5FM1GDj
PtQ+bFom4NaPMBkGCSqGSIb2fQdBAAQMMAobBFY4LjEDAgOoMA0GCSqGSIb3DQEB
CwUAA4IBAQBJaNGCj579wUfnR7td2hVTakKgebMtPX+H5hm0g67ucLfia9o5PGAo
fHM+y0aP6LixG/gJ/3at1rkOslrY06EFLkPuKB5Io6Hr5++1nixKSHZd7esj9TRi
QhRXhsyYjHYtIw0o3TO/TCQF2Ay7LLHWTI8QuhMNUMsXT2/7nPwSgIKXos77o4X0
+tFw85tR69h8Eqv5PFH8AAr5DYqrp49IkjkIgEpes19hfM9x0gHjcIpVnm0W+fE+
B0Nh65AH4o2Gu04L+hOq0Ond2RJOhFGd5g4vxgQLGNn9YCsCaEtMBxwwGfyEIZfQ
DBIMQWVLy/vEoJahxje3kRK4HOH6OJn5
-----END CERTIFICATE-----
subject=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Fiscal Service/OU=Devices/CN=pki.treas.gov
issuer=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
---
No client certificate CA names sent
---
SSL handshake has read 7134 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0F0E802940FE87931ED6D2E4344F1189AC44092248EF08903B11CF7D8C720B62
    Session-ID-ctx: 
    Master-Key: 1460E3356B4CE6D8CC5739AD8CDA4936731D3CF4CEB0BDA228FDE60BF61EDFE47D0DCDB91D69E12A4D306B16EF627DE1
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1456016387
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

Further, if connecting to this host via IPv6 only, then you will see that the server presents an entirely different certificate, which does not include "pki.treasury.gov" in the subject field, or the subjectAltName extension.

Likewise, there have been reported issues via Issue 2 that demonstrate inconsistency (due to network or load balancing) of the delivery of revocation data for HTTP traffic (not encrypted, via port 80). The same may be true for ocsp.treas.gov.

grandamp commented 8 years ago

If possible, can anyone provide the results for the following command (or equivelent) using IPv6 only?

openssl s_client -connect pki.treasury.gov:443 -servername pki.treasury.gov

konklone commented 8 years ago

From a server where IPv6 is enabled:

$ curl -6 --head https://ipv6.google.com
HTTP/1.1 200 OK

I ran:

openssl s_client -connect pki.treasury.gov:443 -servername pki.treasury.gov

And got:

CONNECTED(00000003)
depth=3 C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Fiscal Service/OU=Devices/CN=pki.treas.gov
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
 1 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
 2 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
 3 s:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHlDCCBnygAwIBAgIEVFZlczANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC
VVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEjMCEGA1UECxMaRGVwYXJ0bWVu
dCBvZiB0aGUgVHJlYXN1cnkxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y
aXRpZXMxEDAOBgNVBAsTB09DSU8gQ0EwHhcNMTUwNDEwMTU1NzM4WhcNMTgwNDEw
MTYyNzM4WjCBnTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVu
dDEjMCEGA1UECxMaRGVwYXJ0bWVudCBvZiB0aGUgVHJlYXN1cnkxJTAjBgNVBAsT
HEJ1cmVhdSBvZiB0aGUgRmlzY2FsIFNlcnZpY2UxEDAOBgNVBAsTB0RldmljZXMx
FjAUBgNVBAMTDXBraS50cmVhcy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDHJzYjjEnEi/UBUVokkO9uWuDAbgrSqpprt389A3DYRrJXFYHr84/T
GUjarT3sek2glfHcvpZU5lvPes39TugCQh2tm5BTbHIdK8pYhBPmv9c5pyRwVgu3
1k+aCShPkP+K8dWjxchND5WgD5xtmI3Q2H8dDTNEWAkByVUTn1TQneCs29MyK3WM
sMWIgb8EkTJDQB9EAT/Z9tg0gETMi7CnGXitkzZrKkaHpSdLLuB9D7QCJUU+skTt
sgFSJRrHfFlFUmD/B+7Os8s8YPuBIc+Sr9PaoqRlDhlCzLVV3hCz1IH+spmDjvBd
D9GBCxRnU0cq6A2mXdNNolyh+Jlx8QA5AgMBAAGjggPzMIID7zAOBgNVHQ8BAf8E
BAMCBaAwFwYDVR0gBBAwDjAMBgpghkgBZQMCAQUDMBEGCWCGSAGG+EIBAQQEAwIG
QDATBgNVHSUEDDAKBggrBgEFBQcDATCCAQgGCCsGAQUFBwEBBIH7MIH4MDAGCCsG
AQUFBzAChiRodHRwOi8vcGtpLnRyZWFzLmdvdi90b2NhX2VlX2FpYS5wN2MwgaAG
CCsGAQUFBzAChoGTbGRhcDovL2xkYXAudHJlYXMuZ292L291PU9DSU8lMjBDQSxv
dT1DZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsb3U9RGVwYXJ0bWVudCUyMG9m
JTIwdGhlJTIwVHJlYXN1cnksbz1VLlMuJTIwR292ZXJubWVudCxjPVVTP2NBQ2Vy
dGlmaWNhdGU7YmluYXJ5MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC50cmVhcy5n
b3YwewYDVR0RBHQwcoEcY3NhLXRlYW1AZmlzY2FsLnRyZWFzdXJ5LmdvdoIQcGtp
LnRyZWFzdXJ5LmdvdoIQcGtpLmRpbWMuZGhzLmdvdoINcGtpLnRyZWFzLmdvdoEf
ZWNiLWhvc3RpbmdAZmlzY2FsLnRyZWFzdXJ5LmdvdjCCAYkGA1UdHwSCAYAwggF8
MCegJaAjhiFodHRwOi8vcGtpLnRyZWFzLmdvdi9PQ0lPX0NBMy5jcmwwggFPoIIB
S6CCAUekgZcwgZQxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1l
bnQxIzAhBgNVBAsTGkRlcGFydG1lbnQgb2YgdGhlIFRyZWFzdXJ5MSIwIAYDVQQL
ExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRAwDgYDVQQLEwdPQ0lPIENBMRAw
DgYDVQQDEwdDUkwxNDA5hoGqbGRhcDovL2xkYXAudHJlYXMuZ292L2NuPUNSTDE0
MDksb3U9T0NJTyUyMENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxv
dT1EZXBhcnRtZW50JTIwb2YlMjB0aGUlMjBUcmVhc3VyeSxvPVUuUy4lMjBHb3Zl
cm5tZW50LGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwKwYD
VR0QBCQwIoAPMjAxNTA0MTAxNTU3MzhagQ8yMDE4MDQxMDE2MjczOFowHwYDVR0j
BBgwFoAUohOo5cYHVGwkPU63Kyeip3Eata8wHQYDVR0OBBYEFLCGnBLCk5FM1GDj
PtQ+bFom4NaPMBkGCSqGSIb2fQdBAAQMMAobBFY4LjEDAgOoMA0GCSqGSIb3DQEB
CwUAA4IBAQBJaNGCj579wUfnR7td2hVTakKgebMtPX+H5hm0g67ucLfia9o5PGAo
fHM+y0aP6LixG/gJ/3at1rkOslrY06EFLkPuKB5Io6Hr5++1nixKSHZd7esj9TRi
QhRXhsyYjHYtIw0o3TO/TCQF2Ay7LLHWTI8QuhMNUMsXT2/7nPwSgIKXos77o4X0
+tFw85tR69h8Eqv5PFH8AAr5DYqrp49IkjkIgEpes19hfM9x0gHjcIpVnm0W+fE+
B0Nh65AH4o2Gu04L+hOq0Ond2RJOhFGd5g4vxgQLGNn9YCsCaEtMBxwwGfyEIZfQ
DBIMQWVLy/vEoJahxje3kRK4HOH6OJn5
-----END CERTIFICATE-----
subject=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Fiscal Service/OU=Devices/CN=pki.treas.gov
issuer=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7134 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0F0E802940FE316C1ED6D2E4344F17895B9C62B6BF06D18A3B11CF7D8C7114C2
    Session-ID-ctx: 
    Master-Key: FD3B71F821F380817288276F7B26672734622434D33DC313829EE3C2914B1F4F78E9E73A311A1195536C903ADE5E29B0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1456076707
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

The server is both IPv6- and IPv4-enabled. How openssl manages network connections in that environment, I am not sure.

konklone commented 8 years ago

Hrm, following along with this Wireshark blog post it doesn't seem like openssl supports IPv6. I get this:

$ openssl s_client -connect ipv6.google.com:443
gethostbyname failure
connect:errno=0

So I don't think my above test case is useful.

konklone commented 8 years ago

Okay, I compiled OpenSSL 1.1.0 alpha 3 (which has IPv6 support):

$ openssl s_client -connect ipv6.google.com:443
CONNECTED(00000003)
...

And re-ran:

openssl s_client -connect pki.treasury.gov:443 -servername pki.treasury.gov

And got:

CONNECTED(00000003)
depth=3 C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA
verify error:num=19:self signed certificate in certificate chain
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Public Debt/OU=Devices/CN=pki.treas.gov
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
 1 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
   i:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
 2 s:/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
 3 s:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
   i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHODCCBiCgAwIBAgIEUU/loDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC
VVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEjMCEGA1UECxMaRGVwYXJ0bWVu
dCBvZiB0aGUgVHJlYXN1cnkxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y
aXRpZXMxEDAOBgNVBAsTB09DSU8gQ0EwHhcNMTMwNjE5MTYxMDQ4WhcNMTYwNjE5
MTY0MDQ4WjCBmjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVu
dDEjMCEGA1UECxMaRGVwYXJ0bWVudCBvZiB0aGUgVHJlYXN1cnkxIjAgBgNVBAsT
GUJ1cmVhdSBvZiB0aGUgUHVibGljIERlYnQxEDAOBgNVBAsTB0RldmljZXMxFjAU
BgNVBAMTDXBraS50cmVhcy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCpoWBt6IdqtVVsBw0XSFxKONJn1+fmcbqmYtkjmKKWZhXtW6gAeH2J8Ap3
xy7D/s8r1VrmmXnTyTV2Yj9FiPtOZe6WVODAOWWrcvOdl/26WZF1N5dzguOIlcnL
OOwU4459swPkpG2npUfPN+tWvAktFF78c155Zq3IJQjqSKTt+25jKrqovzzNOwKs
lMdWlr0Y18ZJA816G8a5H//gVSjE9+DKiXk9/EKsl3D1u+eDiRrXKY1Bjy79pa94
tBoNCFuAQgCRSy4dV+3zgJXjdprRlTAtvf0SF1j8gSeq4KTgh7uPKt9NR3SSSJlD
Mhn9yi8RtvHraAmFm1m/xMud80IlAgMBAAGjggOaMIIDljAOBgNVHQ8BAf8EBAMC
BaAwFwYDVR0gBBAwDjAMBgpghkgBZQMCAQUDMBEGCWCGSAGG+EIBAQQEAwIGQDAT
BgNVHSUEDDAKBggrBgEFBQcDATCCAQgGCCsGAQUFBwEBBIH7MIH4MDAGCCsGAQUF
BzAChiRodHRwOi8vcGtpLnRyZWFzLmdvdi90b2NhX2VlX2FpYS5wN2MwgaAGCCsG
AQUFBzAChoGTbGRhcDovL2xkYXAudHJlYXMuZ292L291PU9DSU8lMjBDQSxvdT1D
ZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsb3U9RGVwYXJ0bWVudCUyMG9mJTIw
dGhlJTIwVHJlYXN1cnksbz1VLlMuJTIwR292ZXJubWVudCxjPVVTP2NBQ2VydGlm
aWNhdGU7YmluYXJ5MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC50cmVhcy5nb3Yw
IgYDVR0RBBswGYEXYXNiLWFkbWluQGJwZC50cmVhcy5nb3YwggGJBgNVHR8EggGA
MIIBfDAnoCWgI4YhaHR0cDovL3BraS50cmVhcy5nb3YvT0NJT19DQTMuY3JsMIIB
T6CCAUugggFHpIGXMIGUMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zl
cm5tZW50MSMwIQYDVQQLExpEZXBhcnRtZW50IG9mIHRoZSBUcmVhc3VyeTEiMCAG
A1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEQMA4GA1UECxMHT0NJTyBD
QTEQMA4GA1UEAxMHQ1JMMTA4OIaBqmxkYXA6Ly9sZGFwLnRyZWFzLmdvdi9jbj1D
UkwxMDg4LG91PU9DSU8lMjBDQSxvdT1DZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXRp
ZXMsb3U9RGVwYXJ0bWVudCUyMG9mJTIwdGhlJTIwVHJlYXN1cnksbz1VLlMuJTIw
R292ZXJubWVudCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5
MCsGA1UdEAQkMCKADzIwMTMwNjE5MTYxMDQ4WoEPMjAxNjA2MTkxNjQwNDhaMB8G
A1UdIwQYMBaAFKITqOXGB1RsJD1OtysnoqdxGrWvMB0GA1UdDgQWBBSOqlawm630
XJ8hZmV8ihLehhguqTAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIDqDANBgkqhkiG
9w0BAQsFAAOCAQEAESrKC3SNSzJB2nL7oCH3d5x14LmwPy5OHAC3Dv4oZ+QKUDn3
omOj9koMtsxY5FAC5UfY5icHzhRYNaz1aW+FlYXIfUO4XggKuBKREaRFUs2MIuU1
ufAZz4X8XH1U9jHkrcGkIo3zkRJRHuE5v8pMyl8G5XFmjMdBPorGcuizQFTlwKNC
Z3KI5syaagxinmKtzS5x6ch+z5MWhcDAwxSJD8xXuRe6HzqqKAlGbvXn9cxX0Z2X
ggMZneIOZW+A8wKKuEQ+6apnmZcnK0pubRGC+N8f9hYT41bO2cX0YT+smLnk4WFE
RE9s77VUH6g2ifB36OkDYjly1jtyZDhdTQB+RQ==
-----END CERTIFICATE-----
subject=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Bureau of the Public Debt/OU=Devices/CN=pki.treas.gov
issuer=/C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=OCIO CA
---
No client certificate CA names sent
---
SSL handshake has read 6689 bytes and written 631 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 180C0000636C0E4BDABD5A26D9F5E4933A7ADA4058585858F9FCC956F3A60300
    Session-ID-ctx: 
    Master-Key: A7D1ADE31483BF981109833116D93F3249E785003623D037D573873FA86206B564E5CD06F0AF6162582259A1BDD8F839
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1456078073
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---
konklone commented 8 years ago

The certificates received in the first (IPv4) and second (seemingly IPv6) situations do differ. The content is different, and in the second case, the subject is Bureau of the Public Debt instead of Bureau of the Fiscal Service.

weirdscience commented 8 years ago

It also depends on your trust store configuration which may be the reason why you're getting different results between different browsers and with the validation website.

grandamp commented 8 years ago

@weirdscience Hey Ken! In this case, the trust anchor config of the browser is moot (for most of these issues), as the tests are based on the certificate paths configured on (and delivered by) the web server.

The only URI that appears to "leave it entirely up to the browser" is "test1" (referenced by @konklone above).

The two different certificates for pki.treas.gov when using IPv4 -vs- IPv6, are actually two different end entity certificates.